Yara Rule - Poolrat Malware에서 발견 된 문자열을 감지
Yara 정의.
Yara Rule - Detects strings found in POOLRAT malware
Yara definition.
Author: Mandiant
https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise
date = "2023-04-20"
modified = "2023-04-21"
score = 75
hash1 = "aa318070ad1bf90ed459ac34dc5254acc178baff3202d2ea7f49aaf5a055dd43"
$opb1 = { 81 BD ?? ?? ?? ?? 5E DA F3 76} /* marker */
$opb2 = { C7 85 ?? ?? ?? ?? 74 F2 39 DA 66 C7 85 ?? ?? ?? ?? E5 CF} /* 1st xor key*/
$opb3 = { C7 85 ?? ?? ?? ?? 74 F2 39 DA B9 00 04 00 00 66 C7 85 ?? ?? ?? ?? E5 CF } /* 2nd xor key*/
(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x010B) and all of them
old_rule_name = "APT_NK_MAL_M_Hunting_POOLRAT"
score = 70
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
hash1 = "451c23709ecd5a8461ad060f6346930c"```
[https://github.com/Neo23x0/signature-base/commit/c63469c70efde892f888d18271022a555d1b449c](https://github.com/Neo23x0/signature-base/commit/c63469c70efde892f888d18271022a555d1b449c)