TA505 loader yara sig

1. rule ta505_packed_bin
2. {
3. meta:
4. description = "TA505 loader"
5. author = "James_inthe_box"
6. reference = "3e9787ece4961e7bb5b08cc6a99657befd47b5c53ed3ce8f6394a21d009ed195"
7. date = "2020/01"
8. maltype = "Loader"
9.  
10. strings:
11. $string1 = "GetUserNameW" ascii
12. $string2 = "requestedPrivileges" ascii
13. $string3 = "getandgodll_Win32.dll" ascii
14. $string4 = "WinHttpOpen" ascii
15. $string5 = "UPX" ascii
16. $string6 = "wsprintfW" ascii
17. $string7 = "GetProcAddress" ascii
18.  
19. condition:
20. uint16(0) == 0x5A4D and all of ($string*) and filesize < 400KB
21. }
22.  
23. rule ta505_unpacked_bin
24. {
25. meta:
26. description = "TA505 loader"
27. author = "James_inthe_box"
28. reference = "4a3515f660ff5b938b73d1642a464fd87f3b694d4a09f23a94a14be4d95b7226"
29. date = "2020/01"
30. maltype = "Loader"
31.  
32. strings:
33. $string1 = "Failed to inject the DLL" ascii
34. $string2 = "connection reset" ascii
35. $string3 = "shutdown /r /t" ascii
36. $string4 = "&OS=" wide
37. $string5 = "&OSA=" wide
38. $string6 = "&PR=" wide
39. $string7 = "Reflective" ascii
40.  
41. condition:
42. uint16(0) == 0x5A4D and all of ($string*) and filesize < 400KB
43. }
44.  
45. rule ta505_unpacked_mem
46. {
47. meta:
48. description = "TA505 loader"
49. author = "James_inthe_box"
50. reference = "4a3515f660ff5b938b73d1642a464fd87f3b694d4a09f23a94a14be4d95b7226"
51. date = "2020/01"
52. maltype = "Loader"
53.  
54. strings:
55. $string1 = "Failed to inject the DLL" ascii
56. $string2 = "connection reset" ascii
57. $string3 = "shutdown /r /t" ascii
58. $string4 = "&OS=" wide
59. $string5 = "&OSA=" wide
60. $string6 = "&PR=" wide
61. $string7 = "Reflective" ascii
62.  
63. condition:
64. all of ($string*) and filesize > 400KB
65. }