Baldr yara

1. rule Baldr_bin
2. {
3. meta:
4. author = "James_inthe_box"
5. reference = "e8adeee1736ee068f79284077ec905137051eaed11f0be53cc1977f30edb3102"
6. date = "3/2019"
7. maltype = "Infotealer"
8.  
9. strings:
10. $string1 = "_autocomplete.txt" wide
11. $string2 = "hostname|encryptedPassword|encryptedUsername" wide
12. $string3 = "cookieDomains.log" wide
13. $string4 = "sitemanager.xml" wide
14. $string5 = "Cards Count" wide
15. $string6 = ".purple\\accounts.xml" wide
16. $string7 = "ProtonVPN.exe_Url_" wide
17. $string8 = "NordVPN.exe_Url_" wide
18. $string9 = "Exodus\\exodus.wallet" wide
19.  
20. condition:
21. uint16(0) == 0x5A4D and all of ($string*) and filesize < 800KB
22. }
23.  
24. rule Baldr_mem
25. {
26. meta:
27. author = "James_inthe_box"
28. reference = "e8adeee1736ee068f79284077ec905137051eaed11f0be53cc1977f30edb3102"
29. date = "3/2019"
30. maltype = "Infotealer"
31.  
32. strings:
33. $string1 = "_autocomplete.txt" wide
34. $string2 = "hostname|encryptedPassword|encryptedUsername" wide
35. $string3 = "cookieDomains.log" wide
36. $string4 = "sitemanager.xml" wide
37. $string5 = "Cards Count" wide
38. $string6 = ".purple\\accounts.xml" wide
39. $string7 = "ProtonVPN.exe_Url_" wide
40. $string8 = "NordVPN.exe_Url_" wide
41. $string9 = "Exodus\\exodus.wallet" wide
42.  
43. condition:
44. all of ($string*) and filesize > 800KB
45. }