Yara Rule - Peach Sandstorm Apt와 관련된 FalseFont Backdoor를 감지
Yara 정의.
Yara Rule - Detects FalseFont backdoor, related to Peach Sandstorm APT
Yara definition.
Author: X__Junior, Jonathan Peters
https://twitter.com/MsftSecIntel/status/1737895710169628824
date = "2024-01-11"
hash = "364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614"
score = 80
$x1 = "Agent.Core.WPF.App" ascii
$x2 = "3EzuNZ0RN3h3oV7rzILktSHSaHk+5rtcWOr0mlA1CUA=" wide //AesIV
$x3 = "viOIZ9cX59qDDjMHYsz1Yw==" wide // AesKey
$sa1 = "StopSendScreen" wide
$sa2 = "Decryption failed :(" wide
$sb1 = "{0} {1} {2} {3}" wide
$sb2 = "\\BraveSoftware\\Brave-Browser\\User Data\\" wide
$sb3 = "select * from logins" wide
$sb4 = "Loginvault.db" wide
$sb5 = "password_value" wide
uint16(0) == 0x5a4d```
[https://github.com/Neo23x0/signature-base/commit/85e0fcd5166bc44067fb67d37f14d9d5c2981c3e](https://github.com/Neo23x0/signature-base/commit/85e0fcd5166bc44067fb67d37f14d9d5c2981c3e)