Show in Graph
Common Information
Type Value
Value 
rule ELF_packed_STEELCORGI_backdoor_UNC1945 {
	meta:
		description = "Yara Rule for packed ELF backdoor of UNC1945"
		author = "Yoroi Malware Zlab"
		last_updated = "2020_12_21"
		tlp = "white"
		category = "informational"
	strings:
		$s1 = { 4? 88 47 3C C1 6C ?4 34 08 8A 54 ?? ?? 4? 88 57 3D C1 6C }
		$s2 = { 0F B6 5? ?? 0F B6 4? ?? 4? C1 E2 18 4? C1 E0 10 4? }
		$s3 = { 8A 03 84 C0 74 ?? 3C 3D 75 ?? 3C 3D 75 ?? C6 03 00 4? 8B 7D 00 }
		$s4 = { 01 C6 89 44 ?? ?? 8B 44 ?? ?? 31 F2 89 74 ?? ?? C1 }
		$s5 = { 4? 89 D8 4? 31 F2 4? C1 E0 13 4? 01 D7 4? }
	condition:
		uint32(0) == 0x464c457f and 3 of them
}
Category
Type Yara Rule
Misp Type
Description
Details Published Attributes CTI Title
Details Website 2021-01-12 18 Opening “STEELCORGI”: A Sophisticated APT Swiss Army Knife - Yoroi