Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- rule Eightt_dll_bin
- {
- meta:
- description = "8t crew malware"
- author = "James_inthe_box"
- reference = "853136f00e87a1ab3e2fc3acb309573e"
- date = "2019/04"
- maltype = "RAT"
- strings:
- $string1 = "takeown /F \"%s\""
- $string2 = "del %%0 /q /f"
- $string3 = "del \"%s\" /q /f"
- $string4 = "Ping 127.0.0.1"
- $string5 = "InvokeMainViaCRT"
- $string6 = "\"Main Invoked.\""
- $string7 = "InitializeCriticalSectionAndSpinCount"
- condition:
- uint16(0) == 0x5A4D and uint8(uint32(0x3c)+23) == 0x21 and all of ($string*) and filesize < 700KB
- }
- rule Eightt_dll_mem
- {
- meta:
- description = "8t crew malware"
- author = "James_inthe_box"
- reference = "853136f00e87a1ab3e2fc3acb309573e"
- date = "2019/04"
- maltype = "RAT"
- strings:
- $string1 = "taskkill /f /pid %s" wide
- $string2 = "reg delete H" wide
- $string3 = "ipconfig /flushdns" wide
- $string4 = "\\pxry.dat"
- $string5 = "passwd"
- $string6 = "OpenProcessToken Error: %d"
- $string7 = "rd /s/q \"%s\"" wide
- condition:
- all of ($string*) and filesize > 700KB
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement