/
Unk_Crime_Downloader_2.yar
31 lines (29 loc) · 1.06 KB
/
Unk_Crime_Downloader_2.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
rule Unk_Crime_Downloader_2
{
meta:
id = "uuvhiMCrxhHFwTkSF2Tqv"
fingerprint = "9e6a26d06965366eaa5c3ad98fb2b120187cfb04a935e6a82effc58b23a235f0"
version = "1.0"
date = "2024-03-20"
modified = "2024-03-20"
status = "RELEASED"
sharing = "TLP:WHITE"
source = "BARTBLAZE"
author = "@bartblaze"
description = "Identifies what appears to be related to PureLogs stealer, but it's likely a 2nd stage with the final stage to be downloaded."
category = "MALWARE"
malware = "PURELOGS"
malware_type = "DOWNLOADER"
hash = "443b3b9929156d71ed73e99850a671a89d4d0d38cc8acc7f286696dd4f24895e"
strings:
$unc = "UNCNOWN" ascii wide fullword
$anti_vm1 = "WINEHDISK" ascii wide fullword
$anti_vm2 = "(VMware|Virtual|WINE)" ascii wide
$click_1 = "TOffersPanel" ascii wide
$click_2 = "TOfferLabel" ascii wide
$click_3 = "TOfferCkb" ascii wide
$campaign = "InstallComaignsThread" ascii wide
$net_call = "/new/net_api" ascii wide
condition:
4 of them
}