Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- rule ta505_packed_bin
- {
- meta:
- description = "TA505 loader"
- author = "James_inthe_box"
- reference = "3e9787ece4961e7bb5b08cc6a99657befd47b5c53ed3ce8f6394a21d009ed195"
- date = "2020/01"
- maltype = "Loader"
- strings:
- $string1 = "GetUserNameW" ascii
- $string2 = "requestedPrivileges" ascii
- $string3 = "getandgodll_Win32.dll" ascii
- $string4 = "WinHttpOpen" ascii
- $string5 = "UPX" ascii
- $string6 = "wsprintfW" ascii
- $string7 = "GetProcAddress" ascii
- condition:
- uint16(0) == 0x5A4D and all of ($string*) and filesize < 400KB
- }
- rule ta505_unpacked_bin
- {
- meta:
- description = "TA505 loader"
- author = "James_inthe_box"
- reference = "4a3515f660ff5b938b73d1642a464fd87f3b694d4a09f23a94a14be4d95b7226"
- date = "2020/01"
- maltype = "Loader"
- strings:
- $string1 = "Failed to inject the DLL" ascii
- $string2 = "connection reset" ascii
- $string3 = "shutdown /r /t" ascii
- $string4 = "&OS=" wide
- $string5 = "&OSA=" wide
- $string6 = "&PR=" wide
- $string7 = "Reflective" ascii
- condition:
- uint16(0) == 0x5A4D and all of ($string*) and filesize < 400KB
- }
- rule ta505_unpacked_mem
- {
- meta:
- description = "TA505 loader"
- author = "James_inthe_box"
- reference = "4a3515f660ff5b938b73d1642a464fd87f3b694d4a09f23a94a14be4d95b7226"
- date = "2020/01"
- maltype = "Loader"
- strings:
- $string1 = "Failed to inject the DLL" ascii
- $string2 = "connection reset" ascii
- $string3 = "shutdown /r /t" ascii
- $string4 = "&OS=" wide
- $string5 = "&OSA=" wide
- $string6 = "&PR=" wide
- $string7 = "Reflective" ascii
- condition:
- all of ($string*) and filesize > 400KB
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement