API tools faq
paste
James_inthe_box

Krypton stealer snort suricata yara

James_inthe_box
May 3rd, 2019
728
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 1.30 KB | None | 0 0
raw download clone embed print report
  1. yara:
  2. rule Krypton_bin
  3. {
  4. meta:
  5. description = "Krypton stealer"
  6. author = "James_inthe_box"
  7. reference = "d4b908f9c294902196657c7b566046f058b2b58a63cfa49abf85e9e300bb8f14"
  8. date = "2019/05"
  9. maltype = "Stealer"
  10.  
  11. strings:
  12. $string1 = "accounts="
  13. $string2 = "credit="
  14. $string3 = "file="
  15. $string4 = "crypto="
  16. $string5 = "cookie="
  17.  
  18. condition:
  19. uint16(0) == 0x5A4D and all of ($string*) and filesize < 800KB
  20. }
  21.  
  22. rule Krypton_mem
  23. {
  24. meta:
  25. description = "Krypton stealer"
  26. author = "James_inthe_box"
  27. reference = "d4b908f9c294902196657c7b566046f058b2b58a63cfa49abf85e9e300bb8f14"
  28. date = "2019/05"
  29. maltype = "Stealer"
  30.  
  31. strings:
  32. $string1 = "accounts="
  33. $string2 = "credit="
  34. $string3 = "file="
  35. $string4 = "crypto="
  36. $string5 = "cookie="
  37.  
  38. condition:
  39. all of ($string*) and filesize > 600KB
  40. }
  41.  
  42. snort/suricata
  43. alert tcp any any -> any $HTTP_PORTS (msg:"Krypton Stealer Checkin"; flow:established,to_server; content:"POST"; http_method; content:"id=01&message="; fast_pattern; reference:md5,825afad02d07063689b7b59e8cf46809; classtype:trojan-activity; sid:20166292; rev:1; metadata:created_at 2019_04_03;)
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!