ch0ic3/CyberThreatIntel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Yara_Rule_SideWinder_Dec19.yar

Browse Source
This commit is contained in:
StrangerealIntel 2019-12-28 19:20:17 +01:00 committed by GitHub
parent 03336b6559
commit 8ddf49a364
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Indian/APT/SideWinder/25-12-19/Yara/Yara_Rule_SideWinder_Dec19.yar
View File

@ -28,6 +28,7 @@ rule APT_SideWinder_RTF_Dec19_1 {
hash1 = "87882b884afd4bd6d4da1fb5e3f87d728f128f75fae32a2720fe899ac7f23f5d" hash1 = "87882b884afd4bd6d4da1fb5e3f87d728f128f75fae32a2720fe899ac7f23f5d"
strings: strings:
$s1 = "\\par 5.\\tab }{\\rtlch\\fcs1 \\af1 \\ltrch\\fcs0 \\insrsid6948592 Command and Operational Authorities are to ensure that these " ascii $s1 = "\\par 5.\\tab }{\\rtlch\\fcs1 \\af1 \\ltrch\\fcs0 \\insrsid6948592 Command and Operational Authorities are to ensure that these " ascii
$s2 = "39336e486c627250655a7738307456722b3649366a6577775a466a653841387032583934783952785075583934616839706e62724d504c5a543937686d4f7078" ascii /* hex encoded string '93nHlbrPeZw80tVr+6I6jewwZFje8A8p2X94x9RxPuX94ah9pnbrMPLZT97hmOpx' */
$s3 = "2b39423552767779557174752f545941752f6f2b3937534874785179466546702b7456546f616659366975774b344c4b4730483273736e4b584c39367751637a" ascii /* hex encoded string '+9B5RvwyUqtu/TYAu/o+97SHtxQyFeFp+tVToafY6iuwK4LKG0H2ssnKXL96wQcz' */ $s3 = "2b39423552767779557174752f545941752f6f2b3937534874785179466546702b7456546f616659366975774b344c4b4730483273736e4b584c39367751637a" ascii /* hex encoded string '+9B5RvwyUqtu/TYAu/o+97SHtxQyFeFp+tVToafY6iuwK4LKG0H2ssnKXL96wQcz' */
$s4 = "2f2b563762424544636c4137522b74427339495574346c646267482f452b70544d542f68694f4c446c2b416b634f3438594c736b47756f6c6672505669747679" ascii /* hex encoded string '/+V7bBEDclA7R+tBs9IUt4ldbgH/E+pTMT/hiOLDl+AkcO48YLskGuolfrPVitvy' */ $s4 = "2f2b563762424544636c4137522b74427339495574346c646267482f452b70544d542f68694f4c446c2b416b634f3438594c736b47756f6c6672505669747679" ascii /* hex encoded string '/+V7bBEDclA7R+tBs9IUt4ldbgH/E+pTMT/hiOLDl+AkcO48YLskGuolfrPVitvy' */
$s5 = "793431527173426e6a334f2b545653415030466b3367727546414b766a6f456f3643714944526d6d41565658506a4d7a4d4959534776475753536c7752727a44" ascii /* hex encoded string 'y41RqsBnj3O+TVSAP0Fk3gruFAKvjoEo6CqIDRmmAVVXPjMzMIYSGvGWSSlwRrzD' */ $s5 = "793431527173426e6a334f2b545653415030466b3367727546414b766a6f456f3643714944526d6d41565658506a4d7a4d4959534776475753536c7752727a44" ascii /* hex encoded string 'y41RqsBnj3O+TVSAP0Fk3gruFAKvjoEo6CqIDRmmAVVXPjMzMIYSGvGWSSlwRrzD' */
@ -45,8 +46,7 @@ rule APT_SideWinder_RTF_Dec19_1 {
$s17 = "41546d683864756a52315036673030324d72704f79424f4575557572426443555951444f5677615a7447594454673376365766334e494f734d6f4c66657a7571" ascii /* hex encoded string 'ATmh8dujR1P6g002MrpOyBOEuUurBdCUYQDOVwaZtGYDTg3v6Wf3NIOsMoLfezuq' */ $s17 = "41546d683864756a52315036673030324d72704f79424f4575557572426443555951444f5677615a7447594454673376365766334e494f734d6f4c66657a7571" ascii /* hex encoded string 'ATmh8dujR1P6g002MrpOyBOEuUurBdCUYQDOVwaZtGYDTg3v6Wf3NIOsMoLfezuq' */
$s18 = "333662544c4f743272576e354e78766839562f306a472b583555766642394e4d37666f2b6e6c7944682f6a3659376b33482b486f76656c497a7a39316a30546d" ascii /* hex encoded string '36bTLOt2rWn5Nxvh9V/0jG+X5UvfB9NM7fo+nlyDh/j6Y7k3H+HovelIzz91j0Tm' */ $s18 = "333662544c4f743272576e354e78766839562f306a472b583555766642394e4d37666f2b6e6c7944682f6a3659376b33482b486f76656c497a7a39316a30546d" ascii /* hex encoded string '36bTLOt2rWn5Nxvh9V/0jG+X5UvfB9NM7fo+nlyDh/j6Y7k3H+HovelIzz91j0Tm' */
$s19 = "382b394d79702f514f6e502f6e4f5030682b6164562f2b736f722f33627a667a6a35796c2f6538612f2f356b38472f2b57662f626e3953722f782f4276326975" ascii /* hex encoded string '8+9Myp/QOnP/nOP0h+adV/+sor/3bzfzj5yl/e8a//5k8G/+Wf/bn9Sr/x/Bv2iu' */ $s19 = "382b394d79702f514f6e502f6e4f5030682b6164562f2b736f722f33627a667a6a35796c2f6538612f2f356b38472f2b57662f626e3953722f782f4276326975" ascii /* hex encoded string '8+9Myp/QOnP/nOP0h+adV/+sor/3bzfzj5yl/e8a//5k8G/+Wf/bn9Sr/x/Bv2iu' */
$s20 = "39336e486c627250655a7738307456722b3649366a6577775a466a653841387032583934783952785075583934616839706e62724d504c5a543937686d4f7078" ascii /* hex encoded string '93nHlbrPeZw80tVr+6I6jewwZFje8A8p2X94x9RxPuX94ah9pnbrMPLZT97hmOpx' */ condition:
condition:
uint16(0) == 0x5c7b and filesize < 5000KB and 8 of them uint16(0) == 0x5c7b and filesize < 5000KB and 8 of them
} }