Yara Rule - Peach Sandstorm Apt와 관련된 FalseFont Backdoor를 감지

Yara Rule - Peach Sandstorm Apt와 관련된 FalseFont Backdoor를 감지

Yara 정의.

Yara Rule - Detects FalseFont backdoor, related to Peach Sandstorm APT

Yara definition.

Author: X__Junior, Jonathan Peters

https://twitter.com/MsftSecIntel/status/1737895710169628824

date = "2024-01-11"
hash = "364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614"
score = 80
$x1 = "Agent.Core.WPF.App" ascii
$x2 = "3EzuNZ0RN3h3oV7rzILktSHSaHk+5rtcWOr0mlA1CUA=" wide //AesIV
$x3 = "viOIZ9cX59qDDjMHYsz1Yw==" wide // AesKey
$sa1 = "StopSendScreen" wide
$sa2 = "Decryption failed :(" wide
$sb1 = "{0}     {1}     {2}     {3}" wide
$sb2 = "\\BraveSoftware\\Brave-Browser\\User Data\\" wide
$sb3 = "select * from logins" wide
$sb4 = "Loginvault.db" wide
$sb5 = "password_value" wide
uint16(0) == 0x5a4d```


[https://github.com/Neo23x0/signature-base/commit/85e0fcd5166bc44067fb67d37f14d9d5c2981c3e](https://github.com/Neo23x0/signature-base/commit/85e0fcd5166bc44067fb67d37f14d9d5c2981c3e)