Yara Rule - .NET 기반 맬웨어 사이드로드의 표시가 부호없는 vcruntime140으로 표시됩니다

allmnet · 9월 30, 2023, 9:04오전

Yara Rule - .NET 기반 맬웨어 사이드로드의 표시가 부호없는 vcruntime140으로 표시됩니다.

Yara 정의.

Yara Rule - Detects indicators of .NET based malware sideloading as an unsigned VCRUNTIME140

Yara definition.

Author: Jonathan Peters

https://github.com/gabe-k/themebleed

date = "2023-09-13"
score = 75
$s1 = /Path=\\\\[0-9a-zA-Z\.-]{1,20}\\/
$s2 = "[VisualStyles]"
$s3 = "[Theme]"
date = "2023-08-30"
hash = "b4bc73dfe9a781e2fee4978127cb9257bc2ffd67fc2df00375acf329d191ffd6"
score = 75
(filename == "VCRUNTIME140.dll" or filename == "vcruntime140.dll")
date = "2023-08-30"
hash = "b4bc73dfe9a781e2fee4978127cb9257bc2ffd67fc2df00375acf329d191ffd6"
score = 75
$fp1 = "Wine builtin DLL" ascii
(filename == "VCRUNTIME140.dll" or filename == "vcruntime140.dll")
and not pe.number_of_signatures == 0```


[https://github.com/Neo23x0/signature-base/commit/ead5fbab68896937ea306856bea69455c636ea47](https://github.com/Neo23x0/signature-base/commit/ead5fbab68896937ea306856bea69455c636ea47)