08e8d462fe
RED PILL 🔴 💊
33 lines
1.1 KiB
Text
33 lines
1.1 KiB
Text
/*
|
|
Yara Rule Set
|
|
Author: SECUINFRA Falcon Team
|
|
Date: 2022-06-23
|
|
Identifier: 0x03-yara_win-Bitter_T-APT-17
|
|
Reference: "https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh"
|
|
*/
|
|
|
|
/* Rule Set —————————————————————– */
|
|
rule APT_Bitter_PDB_Paths {
|
|
|
|
meta:
|
|
description = "Detects Bitter (T-APT-17) PDB Paths"
|
|
author = "SECUINFRA Falcon Team (@SI_FalconTeam)"
|
|
tlp = "WHITE"
|
|
reference = "https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh"
|
|
date = "2022-06-22"
|
|
hash0 = "55901c2d5489d6ac5a0671971d29a31f4cdfa2e03d56e18c1585d78547a26396"
|
|
|
|
strings:
|
|
// Almond RAT
|
|
$pdbPath0 = "C:\\Users\\Window 10 C\\Desktop\\COMPLETED WORK\\" ascii
|
|
$pdbPath1 = "stdrcl\\stdrcl\\obj\\Release\\stdrcl.pdb"
|
|
|
|
// found by Qi Anxin Threat Intellingence Center
|
|
// reference: https://mp.weixin.qq.com/s/8j_rHA7gdMxY1_X8alj8Zg
|
|
$pdbPath2 = "g:\\Projects\\cn_stinker_34318\\"
|
|
$pdbPath3 = "renewedstink\\renewedstink\\obj\\Release\\stimulies.pdb"
|
|
|
|
condition:
|
|
uint16(0) == 0x5a4d
|
|
and any of ($pdbPath*)
|
|
}
|