mirror of
https://github.com/valitydev/signature-base.git
synced 2024-11-06 10:05:18 +00:00
30 lines
820 B
Plaintext
30 lines
820 B
Plaintext
import "pe"
|
|
|
|
/*
|
|
Yara Rule Set
|
|
Author: Florian Roth
|
|
Date: 2017-10-24
|
|
Identifier: Kasper
|
|
Reference: Internal Research
|
|
*/
|
|
|
|
/* Rule Set ----------------------------------------------------------------- */
|
|
|
|
rule KasperMalware_Oct17_1 {
|
|
meta:
|
|
description = "Detects Kasper Backdoor"
|
|
license = "https://creativecommons.org/licenses/by-nc/4.0/"
|
|
author = "Florian Roth"
|
|
reference = "Internal Research"
|
|
date = "2017-10-24"
|
|
hash1 = "758bdaf26a0bd309a5458cb4569fe1c789cf5db087880d6d1676dec051c3a28d"
|
|
strings:
|
|
$x1 = "\\Release\\kasper.pdb" ascii
|
|
$x2 = "C:\\D@oc@um@en@ts a@nd Set@tings\\Al@l Users" wide
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 7000KB and (
|
|
pe.imphash() == "2bceb64cf37acd34bc33b38f2cddfb61" or
|
|
1 of them
|
|
)
|
|
}
|