Sneed-Reactivity/yara-mikesxrs/Nick Hoffman/N3utrino.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

24 lines
No EOL
793 B
Text

rule N3utrino
{
meta:
Author = "Nick Hoffman"
Description = "Detects versions of Neutrino malware"
ref = "http://www.morphick.com/resources/lab-blog/evening-n3utrino"
strings:
$post_host_information = "getcmd=1&uid=%s&os=%s&av=%s&nat=%s&version=%s&serial=%s&quality=%i"
$post_cc_information = "dumpgrab=1&track_type=%s&track_data=%s&process_name=%s"
$post_taskexec = "taskexec=1&task_id=%s"
$post_taskfail = "taskfail=1&task_id=%s"
$command1 = "loader"
$command2 = "findfile"
$command3 = "spread"
$command4 = "archive"
$command5 = "usb"
$command6 = "botkiller"
$command7 = "dwflood"
$command8 = "keylogger"
condition:
4 of ($command*) or any of ($post*)
}