From c3c1c30be55e3f871fc37bbb5494dc7f05343a9a Mon Sep 17 00:00:00 2001
From: harryeetsource <95581121+harryeetsource@users.noreply.github.com>
Date: Wed, 13 Nov 2024 16:00:21 -0800
Subject: [PATCH 1/2] Add files via upload

---
 malware/DridexShellcode.yar | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 malware/DridexShellcode.yar

diff --git a/malware/DridexShellcode.yar b/malware/DridexShellcode.yar
new file mode 100644
index 00000000..54c50c29
--- /dev/null
+++ b/malware/DridexShellcode.yar
@@ -0,0 +1,25 @@
+rule DridexShellcode {
+    meta:
+        description = "Detects Dridex stager shellcode instructions"
+        author = "Harrison Edwards"
+        date = "2024-11-13"
+        version = "2.3"
+
+    strings:
+        $sequence1 = { 48 85 d2 0f 84 ?? ?? ?? ?? 48 }      // dec eax; test edx, edx; je <offset>; dec eax
+        $sequence2 = { 83 ec 20 89 74 24 20 }               // sub esp, 0x20; mov dword ptr [esp + 0x20], esi
+        $sequence3 = { 8b 4a 08 45 33 c0 }                  // mov ecx, dword ptr [edx + 8]; inc ebp; xor eax, eax
+        $sequence4 = { ff 97 d8 04 00 00 48 ff ce }         // call dword ptr [edi + 0x4d8]; dec eax; dec esi
+        $sequence5 = { 8b 8f 30 04 00 00 33 d2 ff 97 c0 04 00 00 } // mov ecx, dword ptr [edi + 0x430]; xor edx, edx; call dword ptr [edi + 0x4c0]
+        $sequence6 = { 85 c0 74 25 48 83 64 24 38 00 }      // test eax, eax; je <offset>; dec eax; and dword ptr [esp + 0x38], 0
+
+        $push_stack_adjust = { 57 48 83 ec 20 }             // push edi; dec eax; sub esp, 0x20
+        $dec_mov_sequence = { 48 89 5c 24 08 48 89 74 24 20 } // dec eax; mov dword ptr [esp + 8], ebx; dec eax; mov dword ptr [esp + 0x20], esi
+        $conditional_jump_memory = { 85 d2 0f 84 ?? ?? ?? ?? 48 89 74 24 20 } // test edx, edx; je <relative address>; dec eax; mov dword ptr [esp + 0x20], esi
+        $lea_stack_manipulation = { 8d 44 24 38 48 8d 54 24 40 } // lea eax, [esp + 0x38]; dec eax; lea edx, [esp + 0x40]
+        $ret_int3 = { c3 cc }                                  // ret; int3
+        $cmp_jne_sequence = { 81 3e 50 45 00 00 75 ?? }         // cmp dword ptr [esi], 0x4550; jne <relative address>
+
+    condition:
+        10 of them
+}

From 6d861e737fb7b8407fd9f95389d5a5bd1b76f6e4 Mon Sep 17 00:00:00 2001
From: harryeetsource <95581121+harryeetsource@users.noreply.github.com>
Date: Wed, 13 Nov 2024 16:31:29 -0800
Subject: [PATCH 2/2] Update DridexShellcode.yar

---
 malware/DridexShellcode.yar | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/malware/DridexShellcode.yar b/malware/DridexShellcode.yar
index 54c50c29..d150cd06 100644
--- a/malware/DridexShellcode.yar
+++ b/malware/DridexShellcode.yar
@@ -1,4 +1,4 @@
-rule DridexShellcode {
+rule DridexStagerShellcodeRoutine {
     meta:
         description = "Detects Dridex stager shellcode instructions"
         author = "Harrison Edwards"