08e8d462fe
RED PILL 🔴 💊
28 lines
997 B
Text
28 lines
997 B
Text
/*
|
|
Yara Rule Set
|
|
Author: Florian Roth
|
|
Date: 2015-10-18
|
|
Identifier: Fareit Oct 2015
|
|
*/
|
|
|
|
rule Fareit_Trojan_Oct15 {
|
|
meta:
|
|
description = "Detects Fareit Trojan from Sep/Oct 2015 Wave"
|
|
author = "Florian Roth"
|
|
reference = "http://goo.gl/5VYtlU"
|
|
date = "2015-10-18"
|
|
score = 80
|
|
super_rule = 1
|
|
hash1 = "230ca0beba8ae712cfe578d2b8ec9581ce149a62486bef209b04eb11d8c088c3"
|
|
hash2 = "3477d6bfd8313d37fedbd3d6ba74681dd7cb59040cabc2991655bdce95a2a997"
|
|
hash3 = "408fa0bd4d44de2940605986b554e8dab42f5d28a6a525b4bc41285e37ab488d"
|
|
hash4 = "76669cbe6a6aac4aa52dbe9d2e027ba184bf3f0b425f478e8c049637624b5dae"
|
|
hash5 = "9486b73eac92497e703615479d52c85cfb772b4ca6c846ef317729910e7c545f"
|
|
hash6 = "c3300c648aebac7bf1d90f58ea75660c78604410ca0fa705d3b8ec1e0a45cdd9"
|
|
hash7 = "ff83e9fcfdec4ffc748e0095391f84a8064ac958a274b9684a771058c04cb0fa"
|
|
strings:
|
|
$s1 = "ebai.exe" fullword wide
|
|
$s2 = "Origina" fullword wide
|
|
condition:
|
|
uint16(0) == 0x5a4d and $s1 in (0..30000) and $s2 in (0..30000)
|
|
}
|