Sneed-Reactivity/yara-mikesxrs/Checkpoint/ZZ_breakwin_stardust_vbs.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

20 lines
1.2 KiB
Text

rule ZZ_breakwin_stardust_vbs {
meta:
description = "Detect the VBS files that where found in the attacks on targets in Syria"
reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/"
author = "Check Point Research"
date = "22-07-2021"
hash = "38a419cd9456e40961c781e16ceee99d970be4e9235ccce0b316efe68aba3933"
hash = "62a984981d14b562939294df9e479ac0d65dfc412d0449114ccb2a0bc93769b0"
hash = "4d994b864d785abccef829d84f91d949562d0af934114b65056315bf59c1ef58"
hash = "eb5237d56c0467b5def9a92e445e34eeed9af2fee28f3a2d2600363724d6f8b0"
hash = "5553ba3dc141cd63878a7f9f0a0e67fb7e887010c0614efd97bbc6c0be9ec2ad"
strings:
$url_template = "progress.php?hn=\" & CN & \"&dt=\" & DT & \"&st="
$compression_password_1 = "YWhZMFU1VlZGdGNFNWlhMVlVMnhTMWtOVlJVWWNGTk9iVTQxVW10V0ZFeFJUMD0r"
$compression_password_2 = "YWlvcyBqQCNAciNxIGpmc2FkKnIoOUZURjlVSjBSRjJRSlJGODlKSDIzRmloIG8"
$uninstall_kaspersky = "Shell.Run \"msiexec.exe /x \" & productcode & \" KLLOGIN="
$is_avp_running = "isProcessRunning(\".\", \"avp.exe\") Then"
condition:
any of them
}