Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- yara:
- rule Krypton_bin
- {
- meta:
- description = "Krypton stealer"
- author = "James_inthe_box"
- reference = "d4b908f9c294902196657c7b566046f058b2b58a63cfa49abf85e9e300bb8f14"
- date = "2019/05"
- maltype = "Stealer"
- strings:
- $string1 = "accounts="
- $string2 = "credit="
- $string3 = "file="
- $string4 = "crypto="
- $string5 = "cookie="
- condition:
- uint16(0) == 0x5A4D and all of ($string*) and filesize < 800KB
- }
- rule Krypton_mem
- {
- meta:
- description = "Krypton stealer"
- author = "James_inthe_box"
- reference = "d4b908f9c294902196657c7b566046f058b2b58a63cfa49abf85e9e300bb8f14"
- date = "2019/05"
- maltype = "Stealer"
- strings:
- $string1 = "accounts="
- $string2 = "credit="
- $string3 = "file="
- $string4 = "crypto="
- $string5 = "cookie="
- condition:
- all of ($string*) and filesize > 600KB
- }
- snort/suricata
- alert tcp any any -> any $HTTP_PORTS (msg:"Krypton Stealer Checkin"; flow:established,to_server; content:"POST"; http_method; content:"id=01&message="; fast_pattern; reference:md5,825afad02d07063689b7b59e8cf46809; classtype:trojan-activity; sid:20166292; rev:1; metadata:created_at 2019_04_03;)
Add Comment
Please, Sign In to add comment