Sneed-Reactivity/yara-mikesxrs/Cluster 25/GhostWriter_MicroBackdoor_72632_00001.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

15 lines
No EOL
715 B
Text

rule GhostWriter_MicroBackdoor_72632_00001 {
meta:
author = "Cluster25"
hash1 = "559d8e8f2c60478d1c057b46ec6be912fae7df38e89553804cc566cac46e8e91"
tlp = "white"
report = "https://blog.cluster25.duskrise.com/2022/03/08/ghostwriter-unc1151-adopts-microbackdoor-variants-in-cyber-operations-against-targets-in-ukraine"
strings:
$ = "cmd.exe /C \"%s%s\"" fullword wide
$ = "client.dll" fullword ascii
$ = "ERROR: Unknown command" fullword ascii
$ = " *** ERROR: Timeout occured" fullword ascii
$ = "%s\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" fullword ascii
$ = "MIIDazCCAlOgAwIBAgIUWOftflCclQXpmWMnL1ewj2F5Y1AwDQYJKoZIhvcNAQEL" fullword ascii
condition: (uint16(0) == 0x5a4d and all of them)
}