Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Malware-Misc-RE/2020-03-27-dridex-worker-config-software-banking-yara.vk.yar

Go to file
 
 
Cannot retrieve contributors at this time
20 lines (15 sloc) 5.23 KB
Raw Blame
Open in GitHub Desktop
rule crime_win64_dridex_bot_hook
{
description = "Detects latest Dridex bot hook "
author = "@VK_Intel"
reference = "internal"
tlp = "white"
date = "2020-03-24"
strings:
$code = { e8 ?? ?? ?? ?? 8b ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 44 2b f3 48 ?? ?? ?? 41 b8 04 00 00 00 41 83 ee 05 44 ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? ba cd 9c ff 56 b9 cb 69 e2 6a 8b f3 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 48 85 c0 74 ?? 48 ?? ?? ?? ?? 4c ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? 49 8b cd 41 b9 40 00 00 00 }
condition:
$code
}
<fs>
abaeb, abajvm, abamenu, abastart, accesspay, acCOMpkcs, accrdsub, acevents, acsagent, Act!, Act!.Integration, Act.Outlook.Service, Active-Charge, adminconsole, AFR38, albacs, Albany.EFT.Corporate.Client, Aldelo.EDC.AFRService, alohaedc, AMBCN, appupdate, APRINT6, ArmoryDB, ArmoryQt, aspnet_wp, Assistant, AxUpdatePortal, BacscomIP2, BancLine, Bank, Banking, banktelapk, Bbm24win, BCN-Netkey, BGDWIN31, BGFWIN31, BGXWIN31, bitcoin-qt, bocusertool, bosrv, bpcssm, bpftp, bpftpserver, bridgerinside, bsaadmin, c_agent, callerIdserver, CanaraCustMaintenance, Capture, cardentry, cardserver, CashClub, CashCommv5, Cloud, Backup, spx_gui, Cashmate, CCMPS3, CCS3, cedripack, cedrisend, cegidebics, cftpstes, client32, ClientSitef, CLXReader, commandclientplugin, commandclientplugin_gui, commander, ComSX, ConcordIP_Host, ConfigurationEditor, contact, coreftp, CPS.POSExpressV3, CRE2004, CreditCardService, cresus, crs1, cspregtool, CuteFtp, cwb3uic, cwbdsk, cwblog, cwbsvd, cwbsvstr, cwbtf, cwbuisxe, cwbujbld, cwbujcnv, CXSRetailPOS, cyberduck, czawin31, cziwin31, dais.ebank.client.offlineclient, dash-qt, dbstpssvc, dexplore, DDCDSRV1, deltaworks, dfsvc, DiasClient, dirclt32, director-communication, director-server, dpseftxc, DSICardnetIP_Term, DSIHeartlandIP_TermSL, DSIVitalTNSIP_Term, e3K.Main, eAssetLink, eautomate, ebmain, EBsec, ecb-sg, ecbl-nxbp, EdcSvr, efinance, efix, EFTSERV, EftTray, ELBA5, ElectronicLockbox, electrum, electrum-1.8.1, electrum-1.9, electrum-2.8.0, electrum-2.8.1, electrum-2.8.2, electrum-2.8.3, electrum-2.9.0, electrum-2.9.1, electrum-2.9.2, electrum-2.9.3, electrum-2.9.3, electrum-3.0.2, electrum-3.1.0, electrum-3.1.1, electrum-3.1.2, electrum-3.1.3, electrum-3.3.0, electrum-3.3.1, electrum-3.3.2, electrum-3.3.3, electrum-3.3.4, electrum-3.3.5, electrum-3.3.6, electrum-3.3.7, electrum-3.3.8, electrum-3.3.9, electrum-3.0.2-portable, electrum-3.1.0-portable, electrum-3.1.1-portable, electrum-3.1.2-portable, electrum-3.1.3-portable, electrum-3.1.6-portable, electrum-3.3.3-portable, electrum-3.3.4-portable, electrum-3.3.5-portable, electrum-3.3.6-portable, electrum-3.3.7-portable, electrum-3.3.8-portable, electrum-3.3.9-portable, encompass, ENTER1, Entreprise, ENTRPRSE, eSigner, Ethereum, etsr, evidencija, ewallet, ExchequerPayroll, facture, far, farm42phyton, FAXCLNT, fedcomp, ffftp, filezilla, finchart, Firefly, fireftp, FiveStarCreditCardIntegration, flashfxp, ForexTraderPro, freeftp, fspnet, ftpx, ftrskr, fx4cash, Gateway, GbpSV, GestionPE, goldtllr32, goldtrakpc, gslshmsrvc, guawin32, GUIApplication, HeartlandIP_Term, htmlshell, iberclear, IberQS, ifrun60, iFtpSvc, IKernel, InitEpp, intact, InteractFastConfig, interprisesuite, intwin31, ipspool, IRISPayroll, ISL_light_client, ISSPOS, iwinload, java, javav, javaw, jhaintexec, jp2launcher, JPOS, jRestaurant, jxbrowser-chromium, Kasir, kb_pcb, keepass, kiosk, launch, launcher, ldcptv10, Leechftp, legaclt, link, linth, litecoin-qt, Magtek, mammut, mammut_tb, manager, merapplauncher, mfmanager, MICROS, Migros_Bank_E-Banking, mobaxterm, monero-wallet-gui, MopaMaes, mpkds, MS000000, msaccess, mstsc, multibit, navigationmanager, NCRLoader, netterm, nlnotes, notes, notes2, OEBMCC32, OmniPOS, Online, otscm-client, paycentre, PaygateWpfClient, Payment, PaymentBridge, PaymentServer, PaymentStandard, PaymentStudio, paypen, pcscmenu, pcsfe, pcsmc2vb, pcsws, PGEPOService, plink, PLT1151, PLT1751, POS-CFG, POS_retail, POSCONFG, POSINIT, posw, PowerPay, private, proffix.v4, prowin32, pspooler, PSTTransfer, pstw32, PTService, ptw1151, putty, pxShowThread, QBPOS, qbpos, QBPOSShell, QikDesktop, QikDesktopCitrix, QOPT, QuestLauncher, rbpmain, rbpmain2, RegisterTool, relaisbtp, RemoteAdminServer, rmpos, Rock, roiwin31, RoomKey, rpccEngine, Rpro8, RPRO8, rtopcb, runclient, RWPOS, sacmonitor, Sage&Sage.Central.AutoUpdateManager.Service, Sage.SData.Service, sage200.finanz.gui, sagedirect, salaires8, saplogon, SBDDesktop, scsignernativemessagehost, seamonkey, securID, server, sfirm, sfmain, sfmainprg, sfunload, sg50CtrlSvc, sg50launcher, sg50RmtAppSvc, sg50svc, SGNavigatorApp, Signature, sllauncher, SM22, smartftp, SmarTTY, Sophos, spawin31, spcp, SQLpnr, srvview, sta2gpc, StarMoney, StartStarMoney, Suite, Surfer, Swipe, SymForm2App, SynIntegrationClient, SynJhaIntService, telebanking, telelink, Telelink, TellerDR, tellerlauncher, terminal, tftpsvc, tokensharesrv, TOTALCMD, TOTALCMD32, TOTALCMD64, touchPOS, TPComplianceManager, TPWorkstation, transac, translink, Transnet, trcgui, TSTAdmin, TSTSolutions, turbo_teletransmission, UBSPay, uniservice, universe, UTG2Svc, verex, vmware-view, vp-ebanking, vpxclient, VRNetWorld, Wacmenu, Wallet, WinBacs, winbiz, wineur, winscp, WINTRV, wmic, wndaudit, WosaXFSTest, WsftpCOMHelper, XCharge, XChrgSrv, xfsExplorer, XFSSimulator, EnterpriseConsole
</fs>