08e8d462fe
RED PILL 🔴 💊
39 lines
928 B
Text
39 lines
928 B
Text
rule apt3_bemstour_implant_byte_patch
|
|
{
|
|
meta:
|
|
|
|
description = "Detects an implant used by Bemstour exploitation tool (APT3)"
|
|
reference = "https://research.checkpoint.com/2019/upsynergy/"
|
|
author = "Mark Lechtik"
|
|
company = "Check Point Software Technologies LTD."
|
|
date = "2019-06-25"
|
|
sha256 = "0b28433a2b7993da65e95a45c2adf7bc37edbd2a8db717b85666d6c88140698a"
|
|
|
|
/*
|
|
|
|
0x41b7e1L C745B8558BEC83 mov dword ptr [ebp - 0x48], 0x83ec8b55
|
|
0x41b7e8L C745BCEC745356 mov dword ptr [ebp - 0x44], 0x565374ec
|
|
0x41b7efL C745C08B750833 mov dword ptr [ebp - 0x40], 0x3308758b
|
|
0x41b7f6L C745C4C957C745 mov dword ptr [ebp - 0x3c], 0x45c757c9
|
|
0x41b7fdL C745C88C4C6F61 mov dword ptr [ebp - 0x38], 0x616f4c8c
|
|
|
|
*/
|
|
|
|
strings:
|
|
|
|
$chunk_1 = {
|
|
|
|
C7 45 ?? 55 8B EC 83
|
|
C7 45 ?? EC 74 53 56
|
|
C7 45 ?? 8B 75 08 33
|
|
C7 45 ?? C9 57 C7 45
|
|
C7 45 ?? 8C 4C 6F 61
|
|
|
|
}
|
|
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
|
|
|