mirror of
https://github.com/valitydev/signature-base.git
synced 2024-11-06 18:15:20 +00:00
Turla Agent.BTZ
This commit is contained in:
parent
b1641ee954
commit
4ca62a2556
@ -168,15 +168,44 @@ rule Turla_KazuarRAT {
|
||||
date = "2018-04-08"
|
||||
hash1 = "6b5d9fca6f49a044fd94c816e258bf50b1e90305d7dab2e0480349e80ed2a0fa"
|
||||
hash2 = "7594fab1aadc4fb08fb9dbb27c418e8bc7f08dadb2acf5533dc8560241ecfc1d"
|
||||
hash3 = "4e5a86e33e53931afe25a8cb108f53f9c7e6c6a731b0ef4f72ce638d0ea5c198"
|
||||
hash3 = "4e5a86e33e53931afe25a8cb108f53f9c7e6c6a731b0ef4f72ce638d0ea5c198"
|
||||
strings:
|
||||
$x1 = "~1.EXE" wide
|
||||
$s2 = "dl32.dll" fullword ascii
|
||||
$s3 = "HookProc@" ascii
|
||||
$s4 = "0`.wtf" fullword ascii
|
||||
$x1 = "~1.EXE" wide
|
||||
$s2 = "dl32.dll" fullword ascii
|
||||
$s3 = "HookProc@" ascii
|
||||
$s4 = "0`.wtf" fullword ascii
|
||||
condition:
|
||||
uint16(0) == 0x5a4d and filesize < 20KB and (
|
||||
pe.imphash() == "682156c4380c216ff8cb766a2f2e8817" or
|
||||
2 of them )
|
||||
pe.imphash() == "682156c4380c216ff8cb766a2f2e8817" or
|
||||
2 of them )
|
||||
}
|
||||
|
||||
rule MAL_Turla_Agent_BTZ {
|
||||
meta:
|
||||
description = "Detects Turla Agent.BTZ"
|
||||
author = "Florian Roth"
|
||||
reference = "https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified"
|
||||
date = "2018-04-12"
|
||||
hash1 = "c4a1cd6916646aa502413d42e6e7441c6e7268926484f19d9acbf5113fc52fc8"
|
||||
strings:
|
||||
$x1 = "1dM3uu4j7Fw4sjnbcwlDqet4F7JyuUi4m5Imnxl1pzxI6as80cbLnmz54cs5Ldn4ri3do5L6gs923HL34x2f5cvd0fk6c1a0s" fullword ascii
|
||||
$x3 = "mstotreg.dat" fullword ascii
|
||||
$x4 = "Bisuninst.bin" fullword ascii
|
||||
$x5 = "mfc42l00.pdb" fullword ascii
|
||||
$x6 = "ielocal~f.tmp" fullword ascii
|
||||
|
||||
$s1 = "%s\\1.txt" fullword ascii
|
||||
$s2 = "%windows%" fullword ascii
|
||||
$s3 = "%s\\system32" fullword ascii
|
||||
$s4 = "\\Help\\SYSTEM32\\" fullword ascii
|
||||
$s5 = "%windows%\\mfc42l00.pdb" fullword ascii
|
||||
$s6 = "Size of log(%dB) is too big, stop write." fullword ascii
|
||||
$s7 = "Log: Size of log(%dB) is too big, stop write." fullword ascii
|
||||
$s8 = "%02d.%02d.%04d Log begin:" fullword ascii
|
||||
$s9 = "\\system32\\win.com" fullword ascii
|
||||
condition:
|
||||
uint16(0) == 0x5a4d and filesize < 100KB and (
|
||||
1 of ($x*) or
|
||||
4 of them
|
||||
)
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user