Sneed-Reactivity/yara-mikesxrs/Florian Roth/Havex_Trojan.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

24 lines
741 B
Text

rule Havex_Trojan
{
meta:
description = "Detects the Havex RAT malware"
date = "2014-06-24"
author = "Florian Roth"
reference = "http://goo.gl/GO5mB1"
hash = "7933809aecb1a9d2110a6fd8a18009f2d9c58b3c7dbda770251096d4fcc18849"
strings:
$magic = { 4d 5a }
$s1 = "Start finging of LAN hosts..." fullword wide
$s2 = "Finding was fault. Unexpective error" fullword wide
$s3 = "Hosts was't found." fullword wide
$s4 = "%s[%s]!!!EXEPTION %i!!!" fullword wide
$s5 = "%s <%s> (Type=%i, Access=%i, ID='%s')" fullword wide
$s6 = "Was found %i hosts in LAN:" fullword wide
$x1 = "MB Connect Line GmbH" wide fullword
$x2 = "mbCHECK" wide fullword
condition:
$magic at 0 and ( 2 of ($s*) or all of ($x*) )
}