-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathStealer_Malware_Redline_Variant_YARA
34 lines (34 loc) · 1.39 KB
/
Stealer_Malware_Redline_Variant_YARA
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
rule Stealer {
meta:
description = "Stealer Malware (Potential Redline Variant)"
author = "Mali-Gator"
reference = "YARA Rule Generator - https://github.com/Neo23x0/yarGen"
date = "2022-September"
strings:
$s1 = "RecordHeaderField" fullword ascii
$s2 = "BCRYPT_KEY_LENGTHS_STRUCT" fullword ascii
$s3 = "SystemInfoHelper" fullword ascii
$s4 = "StringDecrypt" fullword ascii
$s5 = "BCRYPT_PSS_PADDING_INFO" fullword ascii
$s6 = "BCRYPT_OAEP_PADDING_INFO" fullword ascii
$s7 = "SqliteMasterEntry" fullword ascii
$s8 = "FileCopier" fullword ascii
$s9 = "BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO" fullword ascii
$s10 = "FileScanning" fullword ascii
$s11 = "DataBaseConnectionHandler" fullword ascii
$s12 = "Discord" fullword ascii
$s13 = "Entity6" fullword ascii
$s14 = "FullInfoSender" fullword ascii
$s15 = "EnvironmentChecker" fullword ascii
$s16 = "OpenVPN" fullword ascii
$s17 = "AllWallets" fullword ascii
$s18 = "EntityCreator" fullword ascii
$s19 = "PartsSender" fullword ascii
$s20 = "FileSearcher" fullword ascii
$s21 = "GameLauncher" fullword ascii
$s22 = "ItemBase" fullword ascii
$s23 = "M03illa" fullword ascii
condition:
( ( uint16(0) == 0x2d2d or uint16(0) == 0x5a4d ) and filesize < 24000KB and ( 8 of them )
) or ( 8 of them )
}