Show in Graph
Common Information
Type Value
Value 
import "hash"
import "pe"

rule FlyingAFalseFlag_Exchanger {
	meta:
		description = "FlyingAFalseFlag - Exchanger_x64.exe, Exchanger_x86.exe"
		sha256_1 = "6a5605da5f7207b1b14b798e9428c2310633664eed53ce7bdb39a6847eff6609"
		sha256_2 = "c337983b7eefbea3cc02e4d011398292ccbd475ba932ced40603a4a9a3927032"
	strings:
		$s1 = "api-ms-win-core-synch-l1-2-0.dll" wide fullword
		$s2 = "<GetItem xmlns=\"http://schemas.microsoft.com/exchange/services/2006/messages\">" ascii fullword
		$s3 = "<DeleteItem DeleteType=\"HardDelete\" xmlns=\"http://schemas.microsoft.com/exchange/services/2006/messages\">" ascii fullword
		$s4 = "<soap:Envelope xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:t="
		$s5 = "://schemas.microsoft.com/exchange/services/2006/types\" xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\""
		$s6 = "[+] Found vault creds: %s / " ascii fullword
		$s7 = "[!] Failed to execute tasking" ascii fullword
		$s8 = "        <requestedExecutionLevel level='asInvoker' uiAccess='false' />" ascii fullword
		$s9 = "[+] Auto-hide rule '%s' is ready" ascii fullword
		$s10 = "mail@<domain.com>" ascii fullword
		$s11 = "%localappdata%\\Microsoft\\Outlook\\" wide fullword
		$s12 = "<AutoDiscoverSMTPAddress>" ascii fullword
		$s13 = "<m:MailboxSmtpAddress>**MAILBOX**</m:MailboxSmtpAddress>" ascii fullword
		$s14 = "[+] Got tasking... executing." ascii fullword
		$s15 = "<soap:Envelope xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:t="
		$s16 = "[!] Failed to create rule '%s'" ascii fullword
		$s17 = "[!] Failed to beacon to '%s'" ascii fullword
		$s18 = "</m:GetInboxRules>" ascii fullword
		$s19 = "  </soap:Header>" ascii fullword
	condition:
		hash.sha256(0, filesize) == "6a5605da5f7207b1b14b798e9428c2310633664eed53ce7bdb39a6847eff6609" or hash.sha256(0, filesize) == "c337983b7eefbea3cc02e4d011398292ccbd475ba932ced40603a4a9a3927032" or pe.imports("kernel32.dll", "FindNextFileW") and pe.imports("kernel32.dll", "TerminateProcess") and pe.imports("wininet.dll", "InternetConnectA") and pe.imports("advapi32.dll", "LookupAccountSidA") and ((uint16(0) == 0x5a4d and filesize < 300KB and (8 of them)) or (all of them))
}
Category
Type Yara Rule
Misp Type
Description
Details Published Attributes CTI Title
Details Website 2024-08-02 396 Resecurity | C2 Frameworks - Threat Hunting in Action with YARA Rules