Sneed-Reactivity/yara-mikesxrs/Nick Hoffman/Check_UserNames.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

16 lines
No EOL
442 B
Text

import "pe"
rule Check_UserNames
{
meta:
Author = "Nick Hoffman"
Description = "Looks for malware checking for common sandbox usernames"
Sample = "de1af0e97e94859d372be7fcf3a5daa5"
strings:
$user1 = "MALTEST" wide ascii
$user2 = "TEQUILABOOMBOOM" wide ascii
$user3 = "SANDBOX" wide ascii
$user4 = "VIRUS" wide ascii
$user5 = "MALWARE" wide ascii
condition:
all of ($user*) and pe.imports("advapi32.dll","GetUserNameA")
}