Sneed-Reactivity/yara-mikesxrs/paloalto/general_win_golang_socks.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

30 lines
989 B
Text

import "pe"
rule general_win_golang_socks
{
meta:
author = "paloaltonetworks"
date = "2022-03-13"
description = "potentially unwanted GO application with proxy communication capabilities"
reference = "https://unit42.paloaltonetworks.com/popping-eagle-malware/"
strings:
$go_name_1 = "main.go" nocase ascii // default go name for the “func main(){...}” in "package main”
$go_name_2 = "eagle" nocase ascii
$go_name_3 = "popo" nocase ascii
$go_name_4 = "-Client-Dll/" nocase ascii
$go_pkg_1 = "github.com/armon/go-socks5" nocase wide ascii
$go_pkg_2 = "github.com/hashicorp/yamux" nocase wide ascii
$go_pkg_3 = "github.com/fatedier/frp/vendor" wide ascii
$go_pkg_4 = "github.com/rofl0r/rocksocks5" wide ascii
condition:
uint16(0) == 0x5a4d and
filesize < 7MB and
(
1 of ($go_name_*) and
2 of ($go_pkg_*)
)
}