08e8d462fe
RED PILL 🔴 💊
23 lines
No EOL
848 B
Text
23 lines
No EOL
848 B
Text
import "pe"
|
|
rule ducktail_nativeaot
|
|
{
|
|
meta:
|
|
author="WithSecure"
|
|
description="Detects NativeAOT variants of DUCKTAIL malware"
|
|
date="2022-11-17"
|
|
version="1.0"
|
|
reference="https://labs.withsecure.com/publications/ducktail_returns"
|
|
hash1="b043e4639f89459cae85161e6fbf73b22470979e"
|
|
hash2="073b092bf949c31628ee20f7458067bbb05fda3a"
|
|
hash3="d1f6b5f9718a2fe9eaac0c1a627228d3f3b86f87"
|
|
report = "https://www.withsecure.com/en/expertise/research-and-innovation/research/ducktail-an-infostealer-malware"
|
|
condition:
|
|
uint16(0) == 0x5A4D
|
|
and filesize > 15MB
|
|
and (pe.section_index(".managed") >= 0
|
|
or pe.exports("DotNetRuntimeDebugHeader")
|
|
)
|
|
and pe.exports("SendFile")
|
|
and pe.exports("Start")
|
|
and pe.exports("Open")
|
|
} |