API tools faq
paste
Advertisement
JohnGalt14

BlackEnergy 2 Yara Rule

JohnGalt14
Feb 19th, 2015
1,014
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Perl 0.90 KB | None | 0 0
raw download clone embed print report
  1.  
  2. /*
  3.  
  4.   BlackEnergy2 Yara Rule
  5.   v1.0 19.02.15
  6.  
  7.   Tested on sample provided by @PhysicalDrive0:
  8.   https://malwr.com/analysis/N2YxOGJkNTk5NjcwNDM1MDkxN2EwZWMzYjE2NWQ4MTU/
  9.  
  10.   Also integrated in IOC Scanner Loki
  11.   https://github.com/Neo23x0/Loki
  12.  
  13.   Please report back false positives (via Issues on LOKI´s Github page)
  14.  
  15. */
  16.  
  17. rule BlackEnergy_BE_2 {
  18.     meta:
  19.         description = "Detects BlackEnergy 2 Malware"
  20.         author = "Florian Roth"
  21.         reference = "http://goo.gl/DThzLz"
  22.         date = "2015/02/19"
  23.         hash = "983cfcf3aaaeff1ad82eb70f77088ad6ccedee77"
  24.     strings:
  25.         $mz = { 4d 5a }
  26.         $s0 = "<description> Windows system utility service  </description>" fullword ascii
  27.         $s1 = "WindowsSysUtility - Unicode" fullword wide
  28.         $s2 = "msiexec.exe" fullword wide
  29.         $s3 = "WinHelpW" fullword ascii
  30.         $s4 = "ReadProcessMemory" fullword ascii
  31.     condition:
  32.         ( $mz at 0 ) and filesize < 250KB and all of ($s*)
  33. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!