valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-07 02:25:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

New CobaltGang rule

Browse Source
This commit is contained in:
Florian Roth 2019-10-24 16:49:40 +02:00
parent 563cb2c5f5
commit 733ee7eb8a
1 changed files with 24 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
yara/crime_cobaltgang.yar
View File

@ -6,6 +6,8 @@
Reference: Internal Research
*/
import "pe"
/* Rule Set ----------------------------------------------------------------- */
/* Removed Beacon rules - only in THOR */
@ -65,3 +67,25 @@ rule CobaltGang_Malware_Aug17_2 {
condition:
( uint16(0) == 0x5a4d and filesize < 80KB and all of them )
}
rule CRIME_CobaltGang_Malware_Oct19_1 {
meta:
description = "Detects CobaltGang malware"
author = "Florian Roth"
reference = "https://twitter.com/vxsh4d0w/status/1187353649015611392"
date = "2019-10-24"
hash1 = "72125933265f884ceb8ab64ab303ea76aaeb7877faee8976d398acd0d0b7356b"
hash2 = "893339624602c7b3a6f481aed9509b53e4e995d6771c72d726ba5a6b319608a7"
hash3 = "3c34bbf641df25f9accd05b27b9058e25554fdfea0e879f5ca21ffa460ad2b01"
strings:
$op_a1 = { 0f 44 c2 eb 0a 31 c0 80 fa 20 0f 94 c0 01 c0 5d }
$op_b1 = { 89 e5 53 8b 55 08 8b 4d 0c 8a 1c 01 88 1c 02 83 }
$op_b2 = { 89 e5 53 8b 55 08 8b 45 0c 8a 1c 0a 88 1c 08 83 }
condition:
uint16(0) == 0x5a4d and filesize <= 2000KB and (
pe.imphash() == "d1e3f8d02cce09520379e5c1e72f862f" or
pe.imphash() == "8e26df99c70f79cb8b1ea2ef6f8e52ac" or
( $op_a1 and 1 of ($op_b*) )
)
}