JohnGalt14

POSCardStealer B/R/S Spybot Yara Rule

Feb 10th, 2014
389
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. rule POSCardStealer_SpyBot {
  2.     meta:
  3.         description = "POSCardStealer SpyBot Malware"
  4.         author = "F. Roth"
  5.         date = "2014-02-10"
  6.         sha256 = "853fb5a2aad2e0533e390cfa5b0f3dfe96a054390cacdc8f4ba844bba20809e4"
  7.         sha256 = "85c04c846b8e4a238b26cd96103a621f82242dd06ce0b8352d8f874c8387e1ae"
  8.         sha256 = "e02e58cae7e61c4d93392c1a3e5f892d9bd053f28ec58b878c18a15ed2021613"
  9.     strings:
  10.         $s1 = "[BOT_ENGINE] - INFO - Created MUTEX: \"%s\"" wide
  11.         $s2 = "\\Rescator\\uploader\\Debug\\scheck.pdb"
  12.         $s3 = "data_%d_%d_%d_%d_%d.txt"    
  13.        
  14.         $x1 = "BladeLogic"
  15.         $x1 = "cmd /c net start %s"
  16.         $x2 = "ftp -s:%s"
  17.         $x3 = "PATH: %s"
  18.         $x4 = "cmd.txt"
  19.         $x6 = "COMMAND: %s"
  20.        
  21.     condition:
  22.         1 of ($s*) or 4 of ($x*)
  23. }
RAW Paste Data