Winnti loader rule by Vitali Kremez

2024-11-06 18:15:20 +00:00 · 2020-02-02 09:02:14 +01:00 · 2020-02-02 09:02:14 +01:00 · a4e2f23c82
commit a4e2f23c82
parent 90c2377fdc
1 changed files with 13 additions and 0 deletions
--- a/yara/apt_winnti.yar
+++ b/yara/apt_winnti.yar
@ -251,3 +251,16 @@ rule APT_Winnti_MAL_Dec19_5 {
   condition:
      (12 of ($a*))
 }
+
+rule APT_CN_Group_Loader_Jan20_1 {
+   meta:
+      description = "Detects loaders used by Chinese groups"
+      author = "Vitali Kremez"
+      reference = "https://twitter.com/VK_Intel/status/1223411369367785472?s=20"
+      date = "2020-02-01"
+      score = 80
+   strings:
+      $xc1 = { 8B C3 C1 E3 10 C1 E8 10 03 D8 6B DB 77 83 C3 13 }
+   condition:
+      1 of them
+}