JohnGalt14

BlackEnergy 2 Yara Rule

Feb 19th, 2015
753
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.  
  2. /*
  3.  
  4.   BlackEnergy2 Yara Rule
  5.   v1.0 19.02.15
  6.  
  7.   Tested on sample provided by @PhysicalDrive0:
  8.   https://malwr.com/analysis/N2YxOGJkNTk5NjcwNDM1MDkxN2EwZWMzYjE2NWQ4MTU/
  9.  
  10.   Also integrated in IOC Scanner Loki
  11.   https://github.com/Neo23x0/Loki
  12.  
  13.   Please report back false positives (via Issues on LOKI´s Github page)
  14.  
  15. */
  16.  
  17. rule BlackEnergy_BE_2 {
  18.     meta:
  19.         description = "Detects BlackEnergy 2 Malware"
  20.         author = "Florian Roth"
  21.         reference = "http://goo.gl/DThzLz"
  22.         date = "2015/02/19"
  23.         hash = "983cfcf3aaaeff1ad82eb70f77088ad6ccedee77"
  24.     strings:
  25.         $mz = { 4d 5a }
  26.         $s0 = "<description> Windows system utility service  </description>" fullword ascii
  27.         $s1 = "WindowsSysUtility - Unicode" fullword wide
  28.         $s2 = "msiexec.exe" fullword wide
  29.         $s3 = "WinHelpW" fullword ascii
  30.         $s4 = "ReadProcessMemory" fullword ascii
  31.     condition:
  32.         ( $mz at 0 ) and filesize < 250KB and all of ($s*)
  33. }
RAW Paste Data