08e8d462fe
RED PILL 🔴 💊
59 lines
5.9 KiB
Text
59 lines
5.9 KiB
Text
rule RedDelta_loader
|
|
{
|
|
meta:
|
|
copyright = "Intezer Labs"
|
|
author = "Intezer Labs"
|
|
reference = "https://www.intezer.com"
|
|
strings:
|
|
$str1 = "DotNetLoader"
|
|
$str2 = "clipboardinject"
|
|
$str3 = "InjectShellCode"
|
|
$str4 = "WMIBackdoor"
|
|
condition:
|
|
3 of them
|
|
}
|
|
|
|
rule RedDelta_vaccine
|
|
{
|
|
meta:
|
|
copyright = "Intezer Labs"
|
|
author = "Intezer Labs"
|
|
reference = "https://www.intezer.com"
|
|
strings:
|
|
$a1 = { 4C [7] 48 [7] 48 [6] E8 [4] 0F B6 [1] 85 [1] 0F 84 [4] 48 [6] 48 [4] E8 [4] 9? 48 [4] 48 [7] E8 [4] 9? 48 [4] E8 [4] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] 48 [7] 48 [7] E8 [4] E8 [4] 48 [6] 48 [7] E8 [4] C6 [7] C6 [7] C6 [7] C6 [7] E8 [4] 48 [7] 48 [7] E8 [4] E8 [4] 48 [7] E8 [4] 48 [4] E8 [4] 48 [7] 48 [2] 33 [1] B9 [4] F3 [1] E8 [4] 4C [4] BA [4] 48 [7] E8 [4] B8 [4] 48 [3] 0F BE [6] 85 [1] 74 [1] 48 [7] 48 [7] E8 [4] 89 }
|
|
$a2 = { 0F 10 [2] 0F 29 [3] F2 [4] F2 [5] 48 [3] 48 [2] 45 [2] 48 [4] FF 5? [1] 48 [3] 48 [2] FF 5? [1] 48 [3] 48 [2] FF 5? [1] BF [4] 48 [6] FF 1? [4] 9? 48 [6] FF 1? [4] 9? 48 [6] FF 1? [4] 9? 48 [6] FF 1? [4] 9? 48 [3] FF 1? [4] 9? 48 [6] FF 1? [4] 8B [1] 48 [6] 48 [2] E8 [4] 48 [7] 48 [6] 5? 5? 5? C3 }
|
|
$a3 = { 48 [7] 48 [2] 33 [1] B9 [4] F3 [1] 48 [7] 48 [2] 33 [1] B9 [4] F3 [1] B8 [4] 66 [7] B8 [4] 66 [7] 48 [6] 48 [7] E8 [4] 48 [7] 48 [7] E8 [4] 48 [7] E8 [4] 48 [6] 48 [7] E8 [4] 48 [6] 48 [7] E8 [4] 48 [6] 48 [7] E8 [4] 48 [7] 48 [7] E8 [4] 48 [2] 48 [7] E8 [4] 48 [7] E8 [4] 48 [7] E8 [4] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] 48 [7] 48 [7] E8 [4] 48 [7] E8 [4] C7 [7] 48 [8] 41 [5] 4C [2] 33 [1] 33 [1] FF 1? [4] 89 [3] 48 [4] 48 [7] B8 [4] 48 [7] 48 [2] 48 [6] 48 [3] 48 [2] E8 [4] 48 [7] 48 [7] 48 [4] 48 [7] E8 [4] 8B [3] 89 [3] 48 [4] 48 [4] 41 [5] 4C [2] 33 [1] 33 [1] FF 1? [4] 0F B6 [3] 85 [1] 0F 85 [4] 48 [4] 48 [7] 48 [8] 48 [4] 48 [7] 48 [4] 66 [4] 75 }
|
|
$a4 = { 48 [3] 48 [2] 83 [2] FF 5? [1] 48 [3] 48 [2] 33 [1] FF 5? [1] B8 [4] 66 [3] 48 [6] E8 [4] 48 [3] 0F 10 [2] 0F 29 [2] F2 [4] F2 [4] 48 [3] FF 1? [4] 9? 0F 10 [2] 0F 29 [2] F2 [4] F2 [4] 48 [3] FF 1? [4] 9? 0F 10 [2] 0F 29 [3] F2 [4] F2 [5] 48 [3] 48 [2] 48 [3] 48 [4] 48 [3] 48 [4] C7 [7] 48 [3] 48 [4] 48 [4] 48 [4] 41 [5] 4C [3] 48 [6] FF 9? [4] 89 [2] 48 [3] FF 1? [4] 9? 48 [3] FF 1? [4] 9? 48 [3] FF 1? [4] 83 [3] 7D [1] 48 [6] 48 [4] E8 [4] 8B [2] 48 [2] E8 [4] 48 [3] 48 [2] 74 }
|
|
$a5 = { 4C [7] 48 [7] 48 [6] E8 [4] 0F B6 [1] 85 [1] 0F 84 [4] 48 [6] 48 [4] E8 [4] 9? 48 [4] 48 [7] E8 [4] 9? 48 [4] E8 [4] E8 [4] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] 48 [7] 48 [7] E8 [4] E8 [4] 48 [6] 48 [7] E8 [4] E8 [4] C6 [7] C6 [7] C6 [7] C6 [7] E8 [4] 48 [7] 48 [7] E8 [4] E8 [4] 48 [7] E8 [4] 48 [4] E8 [4] 48 [7] 48 [2] 33 [1] B9 [4] F3 [1] E8 [4] 4C [4] BA [4] 48 [7] E8 [4] E8 [4] B8 [4] 48 [3] 0F BE [6] 85 [1] 74 [1] 48 [7] 48 [7] E8 [4] 89 }
|
|
$a6 = { 48 [4] 48 [4] 48 [4] 5? 48 [7] 48 [6] 48 [6] 48 [2] 48 [6] B8 [4] 48 [2] 66 [3] 48 [3] 48 [3] 80 7? [3] 48 [3] 75 [1] 48 [3] C7 [7] 48 [4] 44 [3] 33 [1] 4C [3] 33 [1] FF 1? [4] 48 [3] FF 1? [4] 33 [1] 48 [6] 48 [2] 66 [4] 33 [1] 48 [4] 48 [4] 89 [3] 66 [4] FF 1? [4] 48 [6] FF 1? [4] 8B [5] 48 [6] F2 [7] 89 [2] 0F B7 [5] 66 [3] 0F B6 [5] 88 [2] 8B [5] 89 [2] 0F B7 [5] 66 [3] 0F B6 [5] F2 [4] F2 [7] 88 [2] F2 [4] FF 1? [4] 48 [2] 48 [3] 48 [3] FF 1? [4] 8D [2] 33 [1] FF D? 89 [2] 85 [1] 79 }
|
|
$a7 = { 4C [7] 48 [7] 48 [6] E8 [4] 0F B6 [1] 85 [1] 0F 84 }
|
|
$b8 = { 4C [7] 48 [7] 48 [6] E8 [4] 0F B6 [1] 85 [1] 0F 84 [4] 48 [6] 48 [4] E8 [4] 9? 48 [4] 48 [7] E8 [4] 9? 48 [4] E8 [4] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] C6 [7] 48 [7] 48 [7] E8 [4] E8 [4] 48 [6] 48 [7] E8 [4] C6 [7] C6 [7] C6 [7] C6 [7] E8 [4] 48 [7] 48 [7] E8 [4] E8 [4] 48 [7] E8 [4] 48 [4] E8 [4] 48 [7] 48 [2] 33 [1] B9 [4] F3 [1] E8 [4] 4C [4] BA [4] 48 [7] E8 [4] B8 [4] 48 [3] 0F BE [6] 85 [1] 74 }
|
|
$a9 = { 80 7? [3] 48 [3] 75 [1] 48 [3] C7 [7] 48 [4] 44 [3] 33 [1] 4C [3] 33 [1] FF 1? [4] 48 [3] FF 1? [4] 33 [1] 48 [6] 48 [2] 66 [4] 33 [1] 48 [4] 48 [4] 89 [3] 66 [4] FF 1? [4] 48 [6] FF 1? [4] 8B [5] 48 [6] F2 [7] 89 [2] 0F B7 [5] 66 [3] 0F B6 [5] 88 [2] 8B [5] 89 [2] 0F B7 [5] 66 [3] 0F B6 [5] F2 [4] F2 [7] 88 [2] F2 [4] FF 1? [4] 48 [2] 48 [3] 48 [3] FF 1? [4] 8D [2] 33 [1] FF D? 89 [2] 85 [1] 79 [1] 45 [2] 48 [4] 33 [1] 48 [4] 48 [4] E8 [4] 44 [3] 48 [6] 48 [4] E8 [4] 8B [2] 48 [4] E8 [4] 33 [1] E9 }
|
|
$a10 = { 48 [7] E8 [4] 48 [7] 48 [7] 48 [2] 48 [7] FF 5? [1] 48 [11] 48 [7] E8 [4] 48 [7] 48 [6] FF 1? [4] 48 [7] 48 [2] 48 [7] 4C [7] 48 [2] 48 [7] 48 [7] FF 9? [4] 89 [3] 83 [4] 0F 8D }
|
|
$b11 = { 48 [7] E8 [4] 48 [7] 48 [7] 48 [2] 48 [7] FF 5? [1] 0F B6 [3] 85 [1] 74 [1] 48 [7] E8 [4] 48 [7] 48 [6] FF 1? [4] 48 [7] 48 [2] 48 [7] 48 [7] 4C [2] 41 [5] 48 [2] 48 [7] 48 [7] FF 9? [4] 89 [3] EB }
|
|
$a12 = { 80 7? [3] 48 [3] 75 [1] 48 [3] C7 [7] 48 [4] 44 [3] 33 [1] 4C [3] 33 [1] FF 1? [4] 48 [3] FF 1? [4] 33 [1] 48 [6] 48 [2] 66 [4] 33 [1] 48 [4] 48 [4] 89 [3] 66 [4] FF 1? [4] 48 [6] FF 1? [4] 8B [5] 48 [6] F2 [7] 89 [2] 0F B7 [5] 66 [3] 0F B6 [5] 88 [2] 8B [5] 89 [2] 0F B7 [5] 66 [3] 0F B6 [5] F2 [4] F2 [7] 88 [2] F2 [4] FF 1? [4] 48 [2] 48 [3] 48 [3] FF 1? [4] 8D [2] 33 [1] FF D? 89 [2] 85 [1] 79 }
|
|
$b13 = { 0F 10 [5] 0F B6 [5] 48 [3] 48 [3] 0F 11 [2] 88 [2] FF 1? [4] 33 [1] 48 [4] 4C [6] 48 [6] 44 [3] FF D? 89 [2] 85 [1] 79 }
|
|
|
|
condition:
|
|
6 of them
|
|
}
|
|
|
|
rule RedDelta_c2
|
|
{
|
|
meta:
|
|
copyright = "Intezer Labs"
|
|
author = "Intezer Labs"
|
|
reference = "https://www.intezer.com"
|
|
strings:
|
|
$str1 = "update.flach.cn"
|
|
$str2 = "update.flach.com.cn"
|
|
$str3 = "aHR0cDovL3VwZGF0ZS5mbGFjaC5jbg=="
|
|
$str4 = "www.flach.cn"
|
|
$str5 = "159.138.84.217"
|
|
$str6 = "update.careerhuawei.net"
|
|
$str7 = "aHR0cDovL3VwZGF0ZS5jYXJlZXJodWF3ZWkubmV0Ojgx"
|
|
$str8 = "update1.jscachecdn.com"
|
|
|
|
condition:
|
|
any of them
|
|
}
|