08e8d462fe
RED PILL 🔴 💊
18 lines
828 B
Text
18 lines
828 B
Text
rule agent_tesla
|
|
{
|
|
meta:
|
|
description = "Detecting HTML strings used by Agent Tesla malware"
|
|
author = "Stormshield"
|
|
version = "1.0"
|
|
reference = "https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/"
|
|
|
|
strings:
|
|
$html_username = "<br>UserName : " wide ascii
|
|
$html_pc_name = "<br>PC Name : " wide ascii
|
|
$html_os_name = "<br>OS Full Name : " wide ascii
|
|
$html_os_platform = "<br>OS Platform : " wide ascii
|
|
$html_clipboard = "<br><span style=font-style:normal;text-decoration:none;text-transform:none;color:#FF0000;><strong>[clipboard]</strong></span>" wide ascii
|
|
|
|
condition:
|
|
3 of them
|
|
}
|