Common Information
| Type | Value |
|---|---|
| Value |
rule M_Autopatt_DropperMemonly_OATBOAT_1 {
meta:
author = "autopatt"
description = "oatboat malware family"
created = "02/09/2024"
modified = "02/09/2024"
version = "1.0"
test_hash = "6f0a38c9eb9171cd323b0f599b74ee571
620bc3f34aa07435e7c5822663de605"
filetypes = "exe,dll"
dighash_cov_0 = "[[\"10a0654cddaedc8bfee4\", 3],
[\"aa6b664471b41b27e9a8\", 3]]"
target_set = "filemd5 +code(\"oatboat\")
;; +filemime=\"application/x-dosexec\" -pe:framework=dotnet +limit(2000)"
target_set_size = 7
validation_set = "filemd5 +code(\"oatboat\"); filemd5
+sig(\"mal.oatboat\") ;; +filemime=\"application/x-dosexec\"
-pe:framework=dotnet +limit(2000)"
validation_set_approx_size = 9
strings:
$p00_0 = { 48 89 7C 24 ?? 55 48 8B EC 48 83 EC ?? 48 8B F9 C7 45 [5] 33 DB C7 45 [5] 48 8D 4D }
$p00_1 = { 44 3A C9 75 ?? 48 FF C6 48 83 C3 ?? 49 3B F3 72 ?? 49 8B 42 ?? 48 85 C0 75 }
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (($p00_0 in (250 .. 6500) and $p00_1 in (0 .. 6000)))
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |