Common Information
| Type | Value |
|---|---|
| Value |
rule MAL_SolarMarker {
meta:
author = "JEBSTEIN, Insikt Group, Recorded Future"
date = "2021-12-14"
description = "Rule to detect SolarMarker Jupyter/Mars DLL"
version = "1.0"
reference = "SolarMarker"
hash = "10fc8f8cf1b45a6a6b2b929414a84fc513f80d31b988c3d70f9a21968e943bf2"
hash = "870f691ec9a83e9c4acce142e0acbf110260e6c8e707410c23c02076244f3973"
hash = "e7d165f3728b96921b43984733a92a51148ec87aec900c519a547c470e2a12d9"
hash = "056f373077ca5b6a070975b22839d6f427cbcaeaec4dc31df86231cd3757f7e3"
RF_MALWARE = "SolarMarker RAT"
RF_MALWARE_ID = "h-tpcZ"
RF_THREATACTOR = "Solarmarker Threat Group"
RF_THREATACTOR_ID = "mYbecu"
strings:
$s1 = "change_status" wide
$s2 = "is_success" wide
$s3 = "-ep byp" wide
$s4 = "Deimos"
$s5 = "Mars"
$h1 = { 7B 00 22 00 61 00 63 00 74 00 69 00 6F 00 6E 00 22 00 3A 00 22 00 70 00 69 00 6E 00 67 00 22 00 2C 00 22 }
$h2 = { 27 00 3B 00 24 00 63 00 3D 00 67 00 65 00 74 00 2D 00 63 00 6F 00 6E 00 74 00 65 00 6E 00 74 00 20 00 24 00 70 00 3B 00 72 00 65 00 6D 00 6F 00 76 00 65 00 2D 00 69 00 74 00 65 00 6D 00 20 00 24 00 70 00 3B 00 69 00 65 00 78 00 20 00 24 00 63 00 22 }
condition:
uint16(0) == 0x5a4d and filesize > 200KB and (5 of them)
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |