Sneed-Reactivity/yara-mikesxrs/AirBnB/malware_windows_winnti_loadperf_dll_loader.yara
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

13 lines
467 B
Text

rule malware_windows_winnti_loadperf_dll_loader
{
meta:
description = "Winnti APT group; gzwrite64 imported from loadoerf.ini"
reference = "http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/"
author = "@mimeframe"
md5 = "879ce99e253e598a3c156258a9e81457"
strings:
$s1 = "loadoerf.ini" fullword ascii wide
$s2 = "gzwrite64" fullword ascii wide
condition:
all of ($s*)
}