id: cap-hookexkeylogger-malware

info:
  name: CAP HookExKeylogger Malware - Detect
  author: daffainfo
  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_CAP_HookExKeylogger.yar
  tags: malware,file
file:
  - extensions:
      - all

    matchers-condition: or
    matchers:
      - type: word
        part: raw
        words:
          - "SetWindowsHookEx"
          - "WH_KEYBOARD_LL"
        condition: and
        case-insensitive: true

      - type: word
        part: raw
        words:
          - "SetWindowsHookEx"
          - "WH_KEYBOARD"
        condition: and
        case-insensitive: true

      - type: word
        part: raw
        words:
          - "WH_KEYBOARD"
          - "WH_KEYBOARD_LL"
        condition: and
        case-insensitive: true

# digest: 490a0046304402200f26aeb3ca9df9f4045a64a911f4165e3d2cce3ecd67e137f3b2933a1ad58fdf02200afec8f59a9b9944c13e0480ccca71629e367d03dbe950f02440a6cf9f4a52cf:922c64590222798bb761d5b6d8e72950