Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- rule Malware_Cridex_Generic {
- meta:
- description = "Rule matching Cridex-C Malware distributed in a German Campaign, January 2014 (Vodafone, Telekom, Volksbank bills)"
- author = "F. Roth"
- date = "2014-01-15"
- reference = "https://www.virustotal.com/en/file/519120e4ff6524353247dbac3f66e6ddad711d384e317923a5bb66c16601743e/analysis/"
- hash = "86d3e008b8f5983c374a4859739f7de4"
- strings:
- $c1 = "NEWDEV.dll" fullword
- $b2a = "COMUID.dll" fullword
- $b2b = "INSENG.dll" fullword
- condition:
- $c1 and 1 of ($b*)
- }
- rule Malware_Cridex_Generic {
- meta:
- description = "Cridex Generic"
- author = "Yara Bulk Rule Generator"
- hash = "ab0e2cbca1434ab87e8cb81f97180292"
- strings:
- $s1 = /[Cc]:\\([a-zA-Z]{4,10}\\|)([a-zA-Z]{4,10}\\|)([a-zA-Z]{4,10}\\|)[a-zA-Z]{4,10}\\[a-zA-Z]{4,10}/ fullword
- $s2 = /[Cc]:\\([a-zA-Z]{4,10}\\|)([a-zA-Z]{4,10}\\|)([a-zA-Z]{4,10}\\|)[a-zA-Z]{4,10}\\[a-zA-Z]{4,10}.[a-z]{3}/ fullword
- $s3 = /[Cc]:\\[a-zA-Z]{4,10}\\[a-zA-Z]{4,10}/ fullword
- condition:
- ( #s1 > 4 and #s1 < 8 ) and ( #s2 > 1 and #s2 < 5 ) and ( #s3 > 4 and #s3 < 8 ) and filesize < 200KB
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
