Sneed-Reactivity/yara-mikesxrs/Checkpoint/TeamViwer_backdoor.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

16 lines
399 B
Text

rule TeamViwer_backdoor
{
meta:
date = "2019-04-14"
description = "Detects malicious TeamViewer DLLs"
reference = "https://research.checkpoint.com/2019/finteam-trojanized-teamviewer-against-government-targets/"
strings:
// PostMessageW hook function
$x1 = {55 8b ec 8b 45 0c 3d 12 01 00 00 75 05 83 c8 ff eb 12 8b 55 14 52 8b 55 10 52 50 8b 45 08 50 e8}
condition:
uint16(0) == 0x5a4d and $x1
}