Yara Rule - 스캐너의 백도어 / 수정 된 버전 일 수있는 Thor 스캐너의 부호없는 버전을 감지
Yara 정의.
Yara Rule - Detects unsigned version of THOR scanner, which could be a backdoored / modified version of the scanner
Yara definition.
Author: Florian Roth
Internal Research
date = "2023-10-28"
score = 75
$s1 = "THOR APT Scanner" wide fullword
$s2 = "Nextron Systems GmbH" wide fullword
$sc1 = { 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 74 00 68 00 6F 00 72 }
uint16(0) == 0x5a4d
and pe.number_of_signatures == 0```
[https://github.com/Neo23x0/signature-base/commit/8e0e4733e9161ac32c371612967fe65927880e7a](https://github.com/Neo23x0/signature-base/commit/8e0e4733e9161ac32c371612967fe65927880e7a)