valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 18:15:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #93 from ForensicITGuy/patch-1

Browse Source 
Submit crime_h2miner_kinsing.yar for Kinsing malware
This commit is contained in:
Florian Roth 2020-08-31 16:26:25 +02:00 committed by GitHub
commit bd28393367
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 19 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
yara/crime_h2miner_kinsing.yar Normal file
View File

@ -0,0 +1,19 @@
rule crime_h2miner_kinsing
{
meta:
description = "Rule to find Kinsing malware"
author = "Tony Lambert, Red Canary"
date = "2020-06-09"
strings:
$s1 = "-iL $INPUT --rate $RATE -p$PORT -oL $OUTPUT"
$s2 = "libpcap"
$s3 = "main.backconnect"
$s4 = "main.masscan"
$s5 = "main.checkHealth"
$s6 = "main.redisBrute"
$s7 = "ActiveC2CUrl"
$s8 = "main.RC4"
$s9 = "main.runTask"
condition:
(uint32(0) == 0x464C457F) and filesize > 1MB and all of them
}