08e8d462fe
RED PILL 🔴 💊
82 lines
2.2 KiB
Text
82 lines
2.2 KiB
Text
import "pe"
|
|
/*
|
|
"dbgsview.exe"
|
|
Agent.exe
|
|
"adflctlmon.exe"
|
|
|
|
d3429016-d029-45b8-b260-85221265838e
|
|
76b7b11a-4124-448b-9903-15524e321f3f
|
|
2cde886e-ee24-496a-bb31-1ced6b766ced
|
|
|
|
imphash
|
|
f34d5f2d4577ed6d9ceec516c1f5a744
|
|
*/
|
|
|
|
rule apt_RU_Turla_Kazuar_DebugView_peFeatures
|
|
{
|
|
meta:
|
|
description = "Turla mimicking SysInternals Tools- peFeatures"
|
|
reference = "https://www.epicturla.com/blog/sysinturla"
|
|
version = "2.0"
|
|
author = "JAG-S"
|
|
score = 85
|
|
hash1 = "1749c96cc1a4beb9ad4d6e037e40902fac31042fa40152f1d3794f49ed1a2b5c"
|
|
hash2 = "44cc7f6c2b664f15b499c7d07c78c110861d2cc82787ddaad28a5af8efc3daac"
|
|
|
|
id = "0a1675c0-8645-5288-9ef6-e68ffbfe0c3b"
|
|
condition:
|
|
uint16(0) == 0x5a4d
|
|
and
|
|
(
|
|
pe.version_info["LegalCopyright"] == "Test Copyright"
|
|
and
|
|
(
|
|
(
|
|
pe.version_info["ProductName"] == "Sysinternals DebugView"
|
|
and
|
|
pe.version_info["Description"] == "Sysinternals DebugView"
|
|
)
|
|
or
|
|
(
|
|
pe.version_info["FileVersion"] == "4.80.0.0"
|
|
and
|
|
pe.version_info["Comments"] == "Sysinternals DebugView"
|
|
)
|
|
or
|
|
(
|
|
pe.version_info["OriginalName"] contains "DebugView.exe"
|
|
and
|
|
pe.version_info["InternalName"] contains "DebugView.exe"
|
|
)
|
|
or
|
|
(
|
|
pe.version_info["OriginalName"] == "Agent.exe"
|
|
and
|
|
pe.version_info["InternalName"] == "Agent.exe"
|
|
)
|
|
)
|
|
)
|
|
}
|
|
|
|
rule APT_MAL_RU_Turla_Kazuar_May20_1 {
|
|
meta:
|
|
description = "Detects Turla Kazuar malware"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://www.epicturla.com/blog/sysinturla"
|
|
date = "2020-05-28"
|
|
hash1 = "1749c96cc1a4beb9ad4d6e037e40902fac31042fa40152f1d3794f49ed1a2b5c"
|
|
hash2 = "1fca5f41211c800830c5f5c3e355d31a05e4c702401a61f11e25387e25eeb7fa"
|
|
hash3 = "2d8151dabf891cf743e67c6f9765ee79884d024b10d265119873b0967a09b20f"
|
|
hash4 = "44cc7f6c2b664f15b499c7d07c78c110861d2cc82787ddaad28a5af8efc3daac"
|
|
id = "cd0d1fa2-5303-55f8-90a7-4a699ec79230"
|
|
strings:
|
|
$s1 = "Sysinternals" ascii fullword
|
|
$s2 = "Test Copyright" wide fullword
|
|
|
|
$op1 = { 0d 01 00 08 34 2e 38 30 2e 30 2e 30 00 00 13 01 }
|
|
condition:
|
|
uint16(0) == 0x5a4d and
|
|
filesize < 2000KB and
|
|
all of them
|
|
}
|
|
|