SHARE
TWEET

Zeus_1134 Yara Rule

Xylitol Mar 4th, 2014 995 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. rule Windows_Malware : Zeus_1134
  2.     {
  3.             meta:
  4.                     author = "Xylitol xylitol@malwareint.com"
  5.                     date = "2014-03-03"
  6.                     description = "Match first two bytes, protocol and string present in Zeus 1.1.3.4"
  7.                     reference = "http://www.xylibox.com/2014/03/zeus-1134.html"
  8.                     yaraexchange = "do what the fuck you want"
  9.             strings:
  10.                     $mz = {4D 5A}
  11.                     $protocol1 = "X_ID: "
  12.                     $protocol2 = "X_OS: "
  13.                     $protocol3 = "X_BV: "
  14.                     $stringR1 = "InitializeSecurityDescriptor"
  15.                     $stringR2 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)"
  16.             condition:
  17.                     ($mz at 0 and all of ($protocol*) and ($stringR1 or $stringR2))
  18.     }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top