diff --git a/offshore APT organization/Bitter/27-08-19/YARA_Rule_Bitter_Variant1_August_2019.txt b/offshore APT organization/Bitter/27-08-19/YARA_Rule_Bitter_Variant1_August_2019.txt new file mode 100644 index 0000000..8298aa4 --- /dev/null +++ b/offshore APT organization/Bitter/27-08-19/YARA_Rule_Bitter_Variant1_August_2019.txt @@ -0,0 +1,60 @@ +#===================================================== +# Hard coded encoded (Variant 1) +# "bqqmjdbujpo0y.xxx.gpsn.vsmfodpefe" -> "application/x-www-form-urlencoded" +# "0fiSfdws/qiq" -> "/ehRecvr.php" +# "0I0N0V0\\0o0v0 -> "/H/M/U/[[/n/u/" +# "QPTU" -> "POST" +# "lffq.bmjwf" -> "keep-alive" +# "Dpoofdujpo" -> "Connection:" +# "Iptu;" -> "Host:" +# "IUUQ02/1" -> "HTTP/1.0" +#===================================================== +rule ArtraDownlaoder_bin_Variant1 +{ + meta: + description = "Artra Downloader" + author = "James_inthe_box, Arkbird" + reference = "dcb8531b0879d46949dd63b1ac094f5588c26867805d0795e244f4f9b8077ed1" + date = "2019/08" + maltype = "Loader" + + strings: + $string1 = "bqqmjdbujpo0y.xxx.gpsn.vsmfodpefe" + $string2 = "=%s&st=%d" + $string3 = "Content-length: %d" + $string4 = "0I0N0V0\\0o0v0" + $string5 = "ID=%s" + $string6 = "QPTU" + $string7 = "lffq.bmjwf" + $string8 = "Dpoofdujpo" + $string9 = "Iptu;" + $string10 = "IUUQ02/1" + + condition: + uint16(0) == 0x5A4D and all of ($string*) and filesize < 100KB +} + +rule ArtraDownlaoder_mem_Variant1 +{ + meta: + description = "Artra Downloader" + author = "James_inthe_box, Arkbird" + reference = "dcb8531b0879d46949dd63b1ac094f5588c26867805d0795e244f4f9b8077ed1" + date = "2019/08" + maltype = "Loader" + + strings: + $string1 = "bqqmjdbujpo0y.xxx.gpsn.vsmfodpefe" + $string2 = "=%s&st=%d" + $string3 = "Content-length: %d" + $string4 = "0I0N0V0\\0o0v0" + $string5 = "ID=%s" + $string6 = "QPTU" + $string7 = "lffq.bmjwf" + $string8 = "Dpoofdujpo" + $string9 = "Iptu;" + $string10 = "IUUQ02/1" + + condition: + all of ($string*) and filesize > 100KB +}