08e8d462fe
RED PILL 🔴 💊
15 lines
590 B
Text
15 lines
590 B
Text
rule Greenbug_PDB
|
|
{
|
|
meta:
|
|
Author = "mikesxrs"
|
|
Description = "Looking for unique PDB"
|
|
Reference = "https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/"
|
|
Reference2 = "http://www.clearskysec.com/greenbug/"
|
|
Date = "2017-04-05"
|
|
strings:
|
|
$PDB1 = "C:\\Users\\Void\\Desktop\\v 10.0.194\\x64\\Release\\swchost.pdb" ascii wide nocase
|
|
$PDB2 = "C:\\Users\\Void\\Desktop\\" ascii wide nocase
|
|
$PDB3 = "\\Release\\swchost.pdb" ascii wide nocase
|
|
condition:
|
|
any of them
|
|
}
|