id: cap-hookexkeylogger-malware

info:
  name: CAP HookExKeylogger Malware - Detect
  author: daffainfo
  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_CAP_HookExKeylogger.yar
  tags: malware,file

file:
  - extensions:
      - all

    matchers-condition: or
    matchers:
      - type: word
        part: raw
        words:
          - "SetWindowsHookEx"
          - "WH_KEYBOARD_LL"
        condition: and
        case-insensitive: true

      - type: word
        part: raw
        words:
          - "SetWindowsHookEx"
          - "WH_KEYBOARD"
        condition: and
        case-insensitive: true

      - type: word
        part: raw
        words:
          - "WH_KEYBOARD"
          - "WH_KEYBOARD_LL"
        condition: and
        case-insensitive: true