Sneed-Reactivity/yara-mikesxrs/vred/W32HavexNetscan.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

23 lines
No EOL
683 B
Text

/*
yara-rule-havex-netscan.yar
This searches for "~tracedscn.yls" or
port activity indicative of the
W32.Havex.Netscan malware module.
NOTE: 5 ports are scanned by W32.Havex.Netscan; only 44818 was
chosen due to its high port number and hex rule limiting the
chance for a false positive!
Val A. Red, 20151206
*/
rule W32HavexNetscan
{
meta:
description = "Havex.Netscan search based on temp file & ports"
in_the_wild = true
reference = "https://github.com/vred/yara-rule-havex-netscan/blob/master/havex-netscan.yar"
strings:
$file = "~tracedscn.yls" wide nocase
//$p1 = { 0A F1 2? } // Rslinx 44818 only selected
condition:
($file)// and ($p1)
}