Sneed-Reactivity/yara-mikesxrs/g00dv1n/Trojan.Gamarue.Andromeda.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

21 lines
743 B
Text

rule TrojanDropperWin32Gamarue_A_Andromeda
{
meta:
Description = "Trojan.Andromeda.sm"
ThreatLevel = "5"
strings:
$ = { 66 8B 10 66 3B 11 75 1E 66 3B D3 74 15 66 8B 50 02 66 3B 51 02 75 0F 83 C0 04 83 C1 04 66 3B D3 75 DE 33 C0 EB 05 1B C0 83 D8 FF 3B C3 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? ?? 56 FF D7 85 C0 75 ?? }
$a = "ldr\\CUSTOM\\local\\local\\Release\\ADropper.pdb" ascii wide
$ = "EpisodeNorth.exe" ascii wide
$ = "HandballChampionship.exe" ascii wide
$ = "\\#MSI" ascii wide
$ = "\\MSI" ascii wide
$ = "\\msiexec.exe" ascii wide
$ = "avp.exe" ascii wide
$ = "\\(empty).lnk" ascii wide
$b = "hsk\\ehs\\dihviceh\\serhlsethntrohntcohurrehem\\chsyst" ascii wide
condition:
(3 of them) or $a or $b
}