W32.HfsVibisi.E172

1. http://0.le4net00.net
2. http://ipb.securedserverspace.ltd
3. http://compute.deutschlandaws.com
4. http://deploy.static.blazingtechnologies.io
5. http://bc.fastusercontent.nl
6.  
7. exodus
8. bitcoin
9. electrum
10. binance
11. kraken
12. bittrex
13. litecoin
14. monero
15. myether
16. coinbase
17. bitfinex
18. bitmex
19. kucoin
20. coinmarket
21. blockchain
22. cryptom
23. cryptonator
24. coinomi
25. poloniex
26. jaxx
27.  
28. #########################################################################################
29. rule HfsVibisi_E172_bin
30. {
31. meta:
32. description = "HfsVibisi.E172"
33. author = "James_inthe_box"
34. reference = "https://app.any.run/tasks/2755e852-6113-44b8-a3d9-e421234c33c5"
35. date = "2019/06"
36. maltype = "Bot"
37.  
38. strings:
39. $string1 = "FileZilla\\"
40. $string2 = "sitemanager.xml"
41. $string3 = "recentservers.xml"
42. $string4 = "U_BotUpdate"
43. $string5 = "botsfolder"
44. $string6 = "logsfolder"
45. $string7 = "UnitKeyLogger"
46. $string8 = "untBotUtils"
47.  
48. condition:
49. uint16(0) == 0x5A4D and all of ($string*) and filesize < 800KB
50. }
51.  
52. rule HfsVibisi_E172_mem
53. {
54. meta:
55. description = "HfsVibisi.E172"
56. author = "James_inthe_box"
57. reference = "https://app.any.run/tasks/2755e852-6113-44b8-a3d9-e421234c33c5"
58. date = "2019/06"
59. maltype = "Bot"
60.  
61. strings:
62. $string1 = "FileZilla\\"
63. $string2 = "sitemanager.xml"
64. $string3 = "recentservers.xml"
65. $string4 = "U_BotUpdate"
66. $string5 = "botsfolder"
67. $string6 = "logsfolder"
68. $string7 = "UnitKeyLogger"
69. $string8 = "untBotUtils"
70.  
71. condition:
72. all of ($string*) and filesize > 800KB
73. }