Sneed-Reactivity/yara-mikesxrs/one offs/Hancidoc_Dropper.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

14 lines
348 B
Text

rule Hancidoc : Dropper
{
meta:
author="moutonplacide"
date="2016-11-23"
description="Hancitor document dropper"
strings:
$doc = {d0 cf 11 e0 a1 b1 1a e1 00 00} /* DOC Header */
$author = "Kimberly"
$pe_marker = /[A-Z]{8}\x08\x00/ /*STARFALL / FORTINET marker*/
condition:
($doc at 0) and ($author and $pe_marker)
}