API tools faq
paste
Xylitol

MLW_PurpleWave_v1.yar

Xylitol
Aug 2nd, 2020
226
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 2.85 KB | None | 0 0
raw download clone embed print report
  1. /*
  2.     This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or
  3.     organization, as long as you use it under this license.
  4. */
  5. rule MLW_PurpleWave_v1
  6. {
  7.     meta:
  8.         Description ="Generic rule to identify PurpleWave v1.0"
  9.         Author = "Xylitol <[email protected]>"
  10.         date = "2020-08-01"
  11.         reference = "https://twitter.com/3xp0rtblog/status/1289125217751781376"
  12.         hash1 = "7de7b866c46f34be28f7085fb1a1727ab939d65abd3128871fb68c42371af2df"
  13.         hash2 = "76bffcf04104a1c4e6a5792d3795d1a03c7497a274042889b8f44c8f8facc304"
  14.         hash3 = "832d667b00c07424f050f84e717f8db22833b1e8e131aa7a33de739c4f4b4cdd"
  15.         hash4 = "917057a6a03252bc2525b326a63111fce050fc86e6e3b26fa9e452489f1358b9"
  16.         hash5 = "a8577e1ccad877ae5ff4bf89aa578989404643c6fdf10baafd4335a1766abb16"
  17.         hash6 = "d5ec98c98a8f56fdeb00cc2404c4527a39726bf43d8b9cf6c4c8c36364f94161"
  18.         hash7 = "d820ec7f9196a5cc3dbc2b5860334a2e174fede80efc3b8463756fb8767dddf9"
  19.         hash8 = "d4572e26b9e6ce963af590979afe3df6e1be78aa8ec0e926e77b0affb7ab1554"
  20.         hash9 = "4b3cb90581dcd77c9ceffbd662b8dac70b68de5a03cd56940434cc035209d61d"
  21.  
  22.     strings:
  23.         $MZ = {4D 5A}
  24.         $decoderoutine = { 8B 45 E8 33 C9 8A 04 07 28 04 1A 42 83 FF 07 8D 47 01 0F 45 C8 8B F9 3B D6 7C E5 }
  25.         /*
  26.         generic routine used to decode strings (bot name, bot version, mutex, c2 url, etc..)
  27.         /8B45 E8         /MOV EAX,[LOCAL.6]
  28.         |33C9            |XOR ECX,ECX
  29.         |8A0407          |MOV AL,BYTE PTR DS:[EDI+EAX]
  30.         |28041A          |SUB BYTE PTR DS:[EDX+EBX],AL
  31.         |42              |INC EDX
  32.         |83FF 07         |CMP EDI,7
  33.         |8D47 01         |LEA EAX,DWORD PTR DS:[EDI+1]
  34.         |0F45C8          |CMOVNE ECX,EAX
  35.         |8BF9            |MOV EDI,ECX
  36.         |3BD6            |CMP EDX,ESI
  37.         \7C E5           \JL SHORT 76bffcf0.0135B57F
  38.         */
  39.  
  40.         // Regular strings that can be found into purplewave 1.0 samples
  41.         $string1 = " at t.me/LuckyStoreSupport |" fullword wide
  42.         $string2 = "][aes_key]" wide ascii
  43.         $string3 = "][passwords][" wide ascii
  44.         $string4 = "][is_encrypted]" wide ascii
  45.         $string5 = "][cards][" wide ascii
  46.         $string6 = "][number]" wide ascii
  47.         $string7 = "][domain]" wide ascii
  48.         $string8 = "][cookies][" wide ascii
  49.         $string9 = "][flag]" wide ascii
  50.         $string10 = "][histories][" wide ascii
  51.         $string11 = "D877F783D5D3EF8C" wide ascii
  52.  
  53.         $alphabet1 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
  54.         $alphabet2 = "0123456789abcdefghijklmnopqrstuvwxyz"
  55.  
  56.     condition:
  57.     ($MZ at 0 and $decoderoutine) and
  58.     (
  59.         (5 of ($string*) and all of ($alphabet*))
  60.     )
  61.  
  62.     and filesize < 700KB // Standard size when not packed should be arround ~598/600kb
  63. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!