08e8d462fe
RED PILL 🔴 💊
50 lines
2.8 KiB
Text
50 lines
2.8 KiB
Text
rule MAL_CRIME_suspicious_hex_string_Jun21_1 : CRIME PE {
|
|
meta:
|
|
author = "Nils Kuhnert"
|
|
date = "2021-06-04"
|
|
description = "Triggers on parts of a big hex string available in lots of crime'ish PE files."
|
|
hash1 = "37d60eb2daea90a9ba275e16115848c95e6ad87d20e4a94ab21bd5c5875a0a34"
|
|
hash2 = "3380c8c56d1216fe112cbc8f1d329b59e2cd2944575fe403df5e5108ca21fc69"
|
|
hash3 = "cd283d89b1b5e9d2875987025009b5cf6b137e3441d06712f49e22e963e39888"
|
|
hash4 = "404efa6fb5a24cd8f1e88e71a1d89da0aca395f82d8251e7fe7df625cd8e80aa"
|
|
hash5 = "479bf3fb8cff50a5de3d3742ab4b485b563b8faf171583b1015f80522ff4853e"
|
|
id = "2ad208fa-c7a5-5df9-96fe-4a84dc770f0f"
|
|
strings:
|
|
$a1 = "07032114130C0812141104170C0412147F6A6A0C041F321104130C0412141104030C0412141104130C0412141104130C0412141104130C0412141104130C0412141104130C0412141104130C0412141122130C0412146423272A711221112B1C042734170408622513143D20262B0F323038692B312003271C170B3A2F286623340610241F001729210579223202642200087C071C17742417020620141462060F12141104130C0412141214001C0412011100160C0C002D2412130C0412141104130C04121A11041324001F140122130C0134171" ascii
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 10MB and all of them
|
|
}
|
|
|
|
rule MAL_CRIME_Unknown_LNK_Jun21_1: LNK POWERSHELL {
|
|
meta:
|
|
author = "Nils Kuhnert"
|
|
date = "2021-06-04"
|
|
description = "Triggers on malicious link files which calls powershell with an obfuscated payload and downloads an HTA file."
|
|
hash1 = "8fc7f25da954adcb8f91d5b0e1967e4a90ca132b280aa6ae73e150b55d301942"
|
|
hash2 = "f5da192f4e4dfb6b728aee1821d10bec6d68fb21266ce32b688e8cae7898a522"
|
|
hash3 = "183a9b3c04d16a1822c788d7a6e78943790ee2cdeea12a38e540281091316e45"
|
|
hash4 = "a38c6aa3e1c429a27226519b38f39f03b0b1b9d75fd43cd7e067c5e542967afe"
|
|
hash5 = "455f7b6b975fb8f7afc6295ec40dae5696f5063d1651f3b2477f10976a3b67b2"
|
|
id = "d1aac420-fd91-5577-8efd-fcdd7f733981"
|
|
strings:
|
|
$uid = "S-1-5-21-1437133880-1006698037-385855442-1004" wide
|
|
condition:
|
|
uint16(0) == 0x004c and all of them
|
|
}
|
|
|
|
rule MAL_CRIME_Unknown_ISO_Jun21_1 : ISO POWERSHELL LNK {
|
|
meta:
|
|
author = "Nils Kuhnert"
|
|
date = "2021-06-04"
|
|
description = "Triggers on ISO files that mimick NOBELIUM TTPs, but uses LNK files that call powershell instead."
|
|
hash1 = "425dbed047dd2ce760d0848ebf7ad04b1ca360f111d557fc7bf657ae89f86d36"
|
|
hash2 = "f6944b6bca627e219d9c5065f214f95eb2226897a3b823b645d0fd78c281b149"
|
|
hash3 = "14d70a8bdd64e9a936c2dc9caa6d4506794505e0e3870e3a25d9d59bcafb046e"
|
|
hash4 = "9b2ca8eb6db34b07647a74171a5ff4c0a2ca8000da9876ed2db6361958c5c080"
|
|
id = "73a1fc44-45c4-5253-b81d-fa6686dc0644"
|
|
strings:
|
|
$uid = "S-1-5-21-1437133880-1006698037-385855442-1004" wide
|
|
$magic = "CD001" ascii
|
|
condition:
|
|
filesize < 5MB and all of them
|
|
}
|