Updated agenttesla yara sig

1. rule AgentTesla_mod_tough_bin
2.  
3. {
4. meta:
5. author = "James_inthe_box"
6. reference = "https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/"
7. date = "2019/11"
8. maltype = "RAT"
9.  
10. strings:
11. $stringset31 = "OperatingSystemName"
12. $stringset32 = "ProcessorName"
13. $stringset33 = "AmountOfMemory"
14. $stringset34 = "VideocardName"
15. $stringset35 = "VideocardMem"
16. $stringset36 = "Password"
17. $stringset37 = "Mozilla"
18. $stringset38 = "Postbox"
19. $stringset39 = "Thunderbird"
20. $stringset311 = "SeaMonkey"
21. $stringset312 = "Flock"
22. $stringset313 = "BlackHawk"
23. $stringset314 = "CyberFox"
24. $stringset315 = "KMeleon"
25. $stringset316 = "IceCat"
26. $stringset317 = "PaleMoon"
27. $stringset318 = "IceDragon"
28. $stringset319 = "WaterFox"
29.  
30. condition:
31. 10 of ($stringset3*)
32. }
33.  
34. rule AgentTesla_mod_tough_mem
35.  
36. {
37. meta:
38. author = "James_inthe_box"
39. reference = "https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/"
40. date = "2019/11"
41. maltype = "RAT"
42.  
43. strings:
44. $string1 = "Opera Software\\Opera Stable" wide ascii
45. $string2 = "keychain.plist" wide ascii
46. $stringset1 = "type={0}" ascii wide
47. $stringset2 = "hwid={1}" ascii wide
48. $stringset3 = "time={2}" ascii wide
49. $stringset4 = "pcname={3}" ascii wide
50. $stringset5 = "logdata={4}" ascii wide
51. $stringset6 = "screen={5}" ascii wide
52. $stringset7 = "ipadd={6}" ascii wide
53. $stringset8 = "webcam_link={7}" ascii wide
54. $stringset9 = "screen_link={8}" ascii wide
55. $stringset10 = "[passwords]" ascii wide
56.  
57. condition:
58. all of ($string*) and 5 of ($stringset*)
59. }