signature-base/yara/apt_fidelis_phishing_plain_sight.yar

29 lines
882 B
Plaintext

rule Fidelis_Advisory_Purchase_Order_pps {
meta:
description = "Detects a string found in a malicious document named Purchase_Order.pps"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://goo.gl/ZjJyti"
date = "2015-06-09"
strings:
$s0 = "Users\\Gozie\\Desktop\\Purchase-Order.gif" ascii
condition:
all of them
}
rule Fidelis_Advisory_cedt370 {
meta:
description = "Detects a string found in memory of malware cedt370r(3).exe"
author = "Florian Roth"
reference = "http://goo.gl/ZjJyti"
date = "2015-06-09"
strings:
$s0 = "PO.exe" ascii fullword
$s1 = "Important.exe" ascii fullword
$s2 = "&username=" ascii fullword
$s3 = "Browsers.txt" ascii fullword
condition:
all of them
}