Common Information
| Type | Value |
|---|---|
| Value |
import "pe"
rule YARA_CN_APT10_Trochilus_vcruntime140_dll_injector {
meta:
description = "Malicious DLL vcruntime140.dll launched using benign CASTSP.exe to inject encrypted shellcode containing
Trochilus payload"
author = "Insikt Group, Recorded Future"
tlp = "white"
date = "2019-01-16"
hash1 = "eed0c7f7d36e75382c83e945a8b00abf01d3762b973c952dec05ceccb34b487d"
strings:
$s1 = "vcruntime140.dll" ascii fullword
$s2 = "AppPolicyGetProcessTerminationMethod" ascii fullword
$s3 = "CASTSP.exe" ascii fullword
$s4 = "operator co_await" ascii fullword
$s5 = "api-ms-win-appmodel-runtime-l1-1-2" wide fullword
$s6 = "<!<(<3<=<E<" ascii fullword
$s7 = "RUTLFJPBTJSFZZAOJTYP" ascii fullword
condition:
uint16(0) == 0x5a4d and filesize < 300KB and (pe.imphash() == "c326c208bc65e6309413d8e699062a39" or all of them)
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |