Create apt_LazarusCampaign_Payload_Jun2021.yar

2024-11-06 10:05:18 +00:00 · 2021-07-18 13:02:51 +03:00 · 2021-07-18 13:02:51 +03:00 · bfc4ba4970
commit bfc4ba4970
parent 3c9bc5f0a5
1 changed files with 27 additions and 0 deletions
--- a/yara/apt_LazarusCampaign_Payload_Jun2021.yar
+++ b/yara/apt_LazarusCampaign_Payload_Jun2021.yar
@ -0,0 +1,27 @@
+rule LazarusCampaign_Payload_Jun2021 : WindowsMalware {
+
+   meta:
+
+      author = "AlienLabs"
+
+      description = "Detects Lazarus campaign downloader Jun2021."
+
+      reference = "https://otx.alienvault.com/pulse/294acafed42c6a4f546486636b4859c074e53d74be049df99932804be048f42c"
+
+      SHA256 = "f5563f0e63d9deed90b683a15ebd2a1fda6b72987742afb40a1202ddb9e867d0"
+
+
+   strings:
+
+
+      $a1 = "Office ClickToRun" wide ascii
+
+      $a2 = "C:\\Drivers\\"
+
+
+    condition:
+
+
+      uint16(0) == 0x5A4D and all of them
+
+}