Sneed-Reactivity/yara-mikesxrs/Checkpoint/apt3_bemstour_implant_byte_patch.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

39 lines
928 B
Text

rule apt3_bemstour_implant_byte_patch
{
meta:
description = "Detects an implant used by Bemstour exploitation tool (APT3)"
reference = "https://research.checkpoint.com/2019/upsynergy/"
author = "Mark Lechtik"
company = "Check Point Software Technologies LTD."
date = "2019-06-25"
sha256 = "0b28433a2b7993da65e95a45c2adf7bc37edbd2a8db717b85666d6c88140698a"
/*
0x41b7e1L C745B8558BEC83 mov dword ptr [ebp - 0x48], 0x83ec8b55
0x41b7e8L C745BCEC745356 mov dword ptr [ebp - 0x44], 0x565374ec
0x41b7efL C745C08B750833 mov dword ptr [ebp - 0x40], 0x3308758b
0x41b7f6L C745C4C957C745 mov dword ptr [ebp - 0x3c], 0x45c757c9
0x41b7fdL C745C88C4C6F61 mov dword ptr [ebp - 0x38], 0x616f4c8c
*/
strings:
$chunk_1 = {
C7 45 ?? 55 8B EC 83
C7 45 ?? EC 74 53 56
C7 45 ?? 8B 75 08 33
C7 45 ?? C9 57 C7 45
C7 45 ?? 8C 4C 6F 61
}
condition:
any of them
}