Sneed-Reactivity/yara-Neo23x0/apt_fin8.yar

rule Shellcode_APIHashing_FIN8 {
	meta:
		description = "Detects FIN8 Shellcode APIHashing"
		author = "Frank Boldewin (@r3c0nst)"
		date = "2021-03-16"
		reference = "https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf"

		id = "bca5601c-2998-545b-8dd0-ec3c861e6291"
	strings:
		$APIHashing32bit1 = {81 F7 99 5D 52 69 81 F3 30 D7 00 AB} 
		$APIHashing32bit2 = {68 F2 55 03 88 68 65 19 6D 1E} 
		$APIHashing32bit3 = {68 9B 59 27 21 C1 E9 17 33 4C 24 10 68 37 5C 32 F4} 
		
		$APIHashing64bit1 = {49 BF 65 19 6D 1E F2 55 03 88 49 BE 37 5C 32 F4 9B 59 27 21} 
		$APIHashing64bit2 = {48 B8 99 5D 52 69 30 D7 00 AB}
		
	condition:
		all of ($APIHashing32bit*) or all of ($APIHashing64bit*)
}