Sneed-Reactivity/yara-Neo23x0/crime_envrial.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

40 lines
No EOL
1.5 KiB
Text

/*
Yara Rule Set
Author: Florian Roth
Date: 2018-01-21
Identifier: Envrial
Reference: https://twitter.com/malwrhunterteam/status/953313514629853184
*/
/* Rule Set ----------------------------------------------------------------- */
rule MAL_Envrial_Jan18_1 {
meta:
description = "Detects Encrial credential stealer malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/malwrhunterteam/status/953313514629853184"
date = "2018-01-21"
hash1 = "9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85"
hash2 = "9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d"
id = "8be5f0d8-013f-5070-9e19-9ac522c88693"
strings:
$x1 = "/Evrial/master/domen" wide
$a1 = "\\Opera Software\\Opera Stable\\Login Data" wide
$a2 = "\\Comodo\\Dragon\\User Data\\Default\\Login Data" wide
$a3 = "\\Google\\Chrome\\User Data\\Default\\Login Data" wide
$a4 = "\\Orbitum\\User Data\\Default\\Login Data" wide
$a5 = "\\Kometa\\User Data\\Default\\Login Data" wide
$s1 = "dlhosta.exe" fullword wide
$s2 = "\\passwords.log" wide
$s3 = "{{ <>h__TransparentIdentifier1 = {0}, Password = {1} }}" fullword wide
$s4 = "files/upload.php?user={0}&hwid={1}" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 900KB and (
1 of ($x*) or
3 of them or
2 of ($s*)
)
}