Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Turns out this was actually #sorano stealer :(
- rule Sakari_bin
- {
- meta:
- description = "Sorano Stealer"
- author = "James_inthe_box"
- reference = "f6031dee846b034b70bf33ba416f4244a7a34fd30c23d7bd4a2c98c2812e3c29"
- date = "2019/05"
- maltype = "Stealer"
- strings:
- $string2 = "*.vdf" wide
- $string3 = "cookies" wide
- $string5 = "win32_logicaldisk.deviceid=" wide
- $string6 = "VolumeSerialNumber" wide
- $string7 = "[Browsers]" wide
- $string8 = "&ci=" wide
- $string9 = "&fz=" wide
- $string10 = "&cr=" wide
- $string11 = "&ds=" wide
- $string12 = "&dd=" wide
- $string13 = "&pd=" wide
- condition:
- uint16(0) == 0x5A4D and all of ($string*) and filesize < 8000KB
- }
- rule Sakari_mem
- {
- meta:
- description = "Sorano Stealer"
- author = "James_inthe_box"
- reference = "f6031dee846b034b70bf33ba416f4244a7a34fd30c23d7bd4a2c98c2812e3c29"
- date = "2019/05"
- maltype = "Stealer"
- strings:
- $string2 = "*.vdf" wide
- $string3 = "cookies" wide
- $string5 = "win32_logicaldisk.deviceid=" wide
- $string6 = "VolumeSerialNumber" wide
- $string7 = "[Browsers]" wide
- $string8 = "&ci=" wide
- $string9 = "&fz=" wide
- $string10 = "&cr=" wide
- $string11 = "&ds=" wide
- $string12 = "&dd=" wide
- $string13 = "&pd=" wide
- condition:
- all of ($string*) and filesize > 8000KB
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
