08e8d462fe
RED PILL 🔴 💊
16 lines
570 B
Text
16 lines
570 B
Text
rule EzuriLoader : LinuxMalware {
|
|
meta:
|
|
author = "AT&T Alien Labs"
|
|
type = "malware"
|
|
description = "Detects Ezuri Golang loader."
|
|
copyright = "AT&T Cybersecurity 2020"
|
|
reference = "283e0172063d1a23c20c6bca1ed0d2bb"
|
|
report = "https://cybersecurity.att.com/blogs/labs-research/malware-using-new-ezuri-memory-loader"
|
|
strings:
|
|
$a1 = "ezuri/stub/main.go"
|
|
$a2 = "main.runFromMemory"
|
|
$a3 = "main.aesDec"
|
|
condition:
|
|
uint32(0) == 0x464c457f and
|
|
filesize < 20MB and all of ($a*)
|
|
}
|