Common Information
| Type | Value |
|---|---|
| Value |
rule apt_NK_Lazarus_Fall2017_payload_minCondition {
meta:
desc = "Minimal condition set to detect payloads from Fall 2017 Lazarus
Campaign against Cryptocurrency Exchanges and Friends of MOFA 11"
author = "JAGS, Insikt Group, Recorded Future"
version = "2.0"
TLP = "Green"
md5 = "46d1d1f6e396a1908471e8a8d8b38417"
md5 = "6b061267c7ddeb160368128a933d38be"
md5 = "afa40517d264d1b03ac5c4d2fef8fc32"
md5 = "c270eb96deaf27dd2598bc4e9afd99da"
md5 = "d897b4b8e729a408f64911524e8647db"
md5 = "e1cc2dcb40e729b2b61cf436d20d8ee5"
strings:
$sub1800115A0 = { 48 8D 54 24 60 48 8D 8D B0 05 00 00 41 FF 94 24 88 20 00 00 4C 8B E8 48 83 F8 FF 0F 84 EA 01 00 00 48 8D 8D C0 07 00 00 33 D2 41 B8 00 40 00 00 E8 }
$sub18000A720 = { 33 C0 48 8B BC 24 98 02 00 00 48 8B 9C 24 90 02 00 00 48 8B 8D 60 01 00 00 48 33 CC E8 }
condition:
uint16(0) == 0x5A4D and filesize < 5MB and any of them
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |