Common Information
Type Value
Value
rule dtrack_2020 {
	meta:
		author = "jeFF0Falltrades"
	strings:
		$pdb = "Users \\ user \\ Documents \\ Visual Studio 2008 \\ Projects \\ MyStub \\ Release \\ MyStub.pdb" ascii wide
		$str_log = "------------------------------ Log File Create...." ascii wide
		$str_ua = "CCS_Mozilla/5.0 (Windows NT 6.1" ascii wide
		$str_chrome = "Local Settings \\ Application Data \\ Google \\ Chrome \\ User Data \\ Default \\ History" ascii wide
		$str_tmp = "%s \\ ~%d.tmp" ascii wide
		$str_exc = "Execute_%s.log" ascii wide
		$str_reg_use = /net use \\\\[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\\C\$ \/delete/
		$str_reg_move = /move \/y %s \\\\[ 0 - 9 ]{ 1 , 3 }\.[ 0 - 9 ]{ 1 , 3 }\.[ 0 - 9 ]{ 1 , 3 }\.[ 0 - 9 ]{ 1 , 3 }\\C\ $ \\Windows\\Temp\\MpLogs\\/
		$hex_1 = { D1 ?? 33 ?? FC 81 ?? FF 00 00 00 C1 ?? 17 }
		$hex_2 = { C1 ?? 08 8B ?? FC C1 ?? 10 }
		$hex_3 = { 81 0D [4] 1C 31 39 29 }
	condition:
		2 of them or $hex_3
}
Category
Type Yara Rule
Misp Type
Description
Details Published Attributes CTI Title
Details Website 2022-01-01 16 IoCs/dtrack_lazarus_group.md at master ยท jeFF0Falltrades/IoCs