Sneed-Group/Sneed-Reactivity
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Sneed-Reactivity/yara-Neo23x0/apt_stealer_cisa_ar22_277a.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK 
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

67 lines
No EOL
2.4 KiB
Text
Raw Blame History

/* slightly modified by Florian Roth */
rule APT_MAL_CISA_10365227_03_ClientUploader_Dec21 {
meta:
author = "CISA Code & Media Analysis"
date = "2021-12-23"
modified = "2021-12-24"
score = 80
description = "Detects ClientUploader onedrv"
reference = "https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-277a"
hash1 = "84164e1e8074c2565d3cd178babd93694ce54811641a77ffdc8d1084dd468afb"
id = "4eeadb28-9312-5602-932a-36acb48772f4"
strings:
$s1 = "Decoder2"
$s2 = "ClientUploader"
$s3 = "AppDomain"
$s4 = { 5F 49 73 52 65 70 47 ?? 44 65 63 6F 64 65 72 73 }
$s5 = "LzmaDecoder"
$s6 = "$ee1b3f3b-b13c-432e-a461-e52d273896a7"
condition:
uint16(0) == 0x5a4d and all of them
}
rule APT_MAL_CISA_10365227_01_APPSTORAGE_Dec21 {
meta:
author = "CISA Code & Media Analysis"
date = "2021-12-23"
modified = "2021-12-24"
family = "APPSTORAGE"
score = 80
description = "Detects AppStorage ntstatus msexch samples"
reference = "https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-277a"
hash1 = "157a0ffd18e05bfd90a4ec108e5458cbde01015e3407b3964732c9d4ceb71656"
hash2 = "30191b3badf3cdbc65d0ffeb68e0f26cef10a41037351b0f562ab52fce7432cc"
id = "a44c5609-980f-5961-921c-6b1824cdd49c"
strings:
$s1 = "026B924DD52F8BE4A3FEE8575DC"
$s2 = "GetHDDId"
$s3 = "AppStorage"
$s4 = "AppDomain"
$s5 = "$1e3e5580-d264-4c30-89c9-8933c948582c"
$s6 = "hrjio2mfsdlf235d" wide
condition:
uint16(0) == 0x5a4d and all of them
}
rule APT_MAL_CISA_10365227_02_ClientUploader_Dec21 {
meta:
author = "CISA Code & Media Analysis"
date = "2021-12-23"
modified = "2021-12-24"
score = 80
description = "Detects ClientUploader_mqsvn"
reference = "https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-277a"
hash1 = "3585c3136686d7d48e53c21be61bb2908d131cf81b826acf578b67bb9d8e9350"
id = "84351df9-e225-5c3f-9385-523246681a97"
strings:
$s1 = "UploadSmallFileWithStopWatch"
$s2 = "UploadPartWithStopwatch"
$s3 = "AppVClient"
$s4 = "ClientUploader"
$s5 = { 46 69 6C 65 43 6F 6E 74 61 69 6E 65 72 2E 46 69 6C 65 41 72 63 68 69 76 65 }
$s6 = { 4F 6E 65 44 72 69 76 65 43 6C 69 65 6E 74 2E 4F 6E 65 44 72 69 76 65 }
condition:
uint16(0) == 0x5a4d and all of them
}
Reference in a new issue View git blame Copy permalink